Alteryx Data leak once again highlights third-party vendor risk
One massive data leak after another, then another and then another – calling it a routine would be an understatement. Alteryx, a California-based data analytics firm is the latest in line to expose the sensitive personal information of millions of Americans publicly. How many exactly? 123 million. We’ve heard “Information of millions of Americans leaked” so many times in recent memory that we’ve moved past the point where it used to surprise us. The Alteryx data leak was discovered by UpGuard, a cybersecurity firm based out of California.
Alteryx’s file bucket, stored on Amazon Web Services S3 cloud storage was found to be unsecure, as in, without any protection (Did I spell ‘any’ right?). Heck, even you could have accessed it by just creating a free AWS account, just like over a million users of AWS. That’s it, that’s all one needed to get their hands on tens of millions of rows of data of virtually every American household. No hacking, no coding, no James Bond-style Goldfinger Hacking Jacket; a free account is all you needed. It was found on the internet like a piece of paper on the street, all you needed was to bend over!
You must have some questions regarding this data leak. Let us clear the air about Alteryx Data leak by answering few of the most asked questions.
Where exactly were the files located? How were they discovered?
Chris Vickery, UpGuard’s Director of Cyber Risk Research, found Amazon Web Services S3 cloud storage bucket on an “alteryxdownload” subdomain that had the sensitive information of the majority of American households. By default, AWS S3 allows only authenticated users to access the data stored. Unfortunately, this was not the case here.
On this subdomain, any AWS authenticated users could access these files (there’s that word again, any). By “authenticated” I mean ANY user who has an AWS account. One could easily create a dummy AWS account and get into the bucket. It was that simple!
What Information has been leaked?
Alteryx, being a data analytics firm is a partnered with Experian, a credit reporting agency, and US Census Bureau. As a result, the leaked repository had data provided by both Experian and the 2010 US Census. Although the files didn’t have the names, it is said to have 248 different data fields that include address, estimated income, phone number(s), the span of time for which your car has been in use and a countless number of other details. The primary database is of around 36 gigabytes. This files even know whether you’re a cat person or a dog person. And NO, I’m not kidding.
What does the researcher have to say?
“I’m a little disappointed that [Alteryx] would just leave it unencrypted out there for anybody, and that Experian would just give them a copy like that,” he said. “Keeping it open and in the clear is just asking for trouble,” said Chris Vickery UpGuard’s Director of Cyber Risk Research to Huffington Post.
“If you’re an American, your information probably was exposed,” he added.