Media giant Viacom has been caught making the most drastic mistake in security. Leaving passwords, server schematics, and encryption keys out there in the open for anyone to grab!
The sixth largest name in broadcast media and entertainment in the world, and the force behind brands like MTV, Comedy Central, Nickelodeon and Paramount Pictures, become the next in line of organizations that left an unprotected AWS S3 data trove.
Unprotected, so that anyone could have gained access to it, if they wanted.
And someone did.
UpGuard, a security firm that specializes in cloud data leak protection, found passwords and manifests for the Viacom Multiplatform Compute Services group handily placed inside a compressed file on the AWS S3 store.
The MCS group provides IT support for the conglomerate.
What’s even more interesting is that the security vendor also found a master provisioning server running the Puppet configuration and management tool, which could basically be used to spin up new task-specific servers for Viacom.
“Picture a skeleton key, opening not merely every door in a house, but every door that could be added to the house as well. This is the type of master access that was publicly exposed in the S3 bucket.”
There’s bad, and there’s this!
Had the Puppet server been compromised by cybercriminals, it could have had severe consequences for the company. Hackers would have had all the tools that they need to phish customers for their account details, spin up new server instances that would mimic legitimate Viacom systems for use as botnets.
Viacom quickly secured the AWS S3 instance after it was alerted by UpGuard of the security breach, and it is no longer accessible via the public Internet. The company has also confirmed after analyzing the data that there was no material impact.
UpGuard, as you may recall, are the ones that have been actively searching for and reporting these cloud security issues. This Viacom job follows their findings for Dow Jones, as well as voter and military records these past few months.