Database Exposing Over 10 Million User Records
Companies that host their data on AWS have a fair advantage but are often reported to be making common mistakes like leaving in default passwords or not setting anything at all! Such misconfigurations can let attackers access it and exfiltrate in some cases, using it for other exploitations. One such company is Prestige Software, an online hospitality firm managing the online reservations of hotels. As Website Planet reported, Prestige Software has exposed its database on the AWS S3 bucket and secured it after being notified. It said the whole database was worth 24.4 GB, containing more than 10 million exposed files. This affects hotel reservation companies like Agoda, Amadeus, Booking.com, Expedia, Hotels.com, Hotelbeds, Omnibees, Sabre, etc. Researchers reported that the exposed database contained PII of millions of users, in the format of Full names, email addresses, national ID numbers, and phone numbers of hotel guests. Further, there’s also the sensitive credit card data like card number, cardholder’s name, CVV, expiration date, and payment details for hotel reservations. The trove is updated with thousands of records while being exposed; as Website Planet said, over 180,000 records from August 2020 were seen. As such, exposures can give rise to identify theft, impersonation, and common phishing attacks for further exploitation.