Japanese sport developer Ateam has confirmed {that a} easy Google Drive configuration mistake can lead to the potential however unlikely publicity of delicate info for almost a million individuals over a interval of six years and eight months.
The Japanese agency is a cell video games and content material creator, encompassing Ateam Leisure, which has a number of video games on Google Play like Conflict of Legions, Darkish Summoner, Hatsune Miku – Faucet Marvel, and instruments like Reminiscence Clear | Sport Enhance Grasp, and Good Night time’s Sleep Alarm.
Earlier this month, Ateam knowledgeable customers of its apps and providers, staff, and enterprise companions that on November 21, 2023, it found that it had incorrectly set a Google Drive cloud storage occasion to “Anybody on the web with the hyperlink can view” since March 2017.
The insecurely configured Google Drive occasion contained 1,369 information with private info on Ateam clients, Ateam enterprise companions, former and present staff, and even interns and individuals who utilized for a place on the firm.
Ateam has confirmed that 935,779 people had their information uncovered, with 98.9% being clients. For Ateam Leisure particularly, 735,710 individuals have been uncovered.
The information uncovered by this misconfiguration varies relying on the kind of relationship every particular person had with the corporate and will embrace the next:
- Full names
- Electronic mail addresses
- Cellphone numbers
- Buyer administration numbers
- Terminal (machine) identification numbers
The corporate says it has seen no concrete proof of menace actors having stolen the uncovered info however urges individuals to stay vigilant for unsolicited and suspicious communications.
Safe your cloud providers
Setting Google Drive to “Anybody with the hyperlink can view” makes it viewable solely to these with the precise URL, sometimes reserved for collaboration between individuals working with non-sensitive information.
If an worker, or another person with the hyperlink, mistakenly uncovered it publicly, it may get listed by search engines like google and yahoo and develop into broadly accessible.
Whereas it is unlikely that anybody discovered an uncovered Google Drive URL on their very own, this notification demonstrates a necessity for corporations to correctly safe their cloud providers to forestall information from being mistakenly uncovered.
It is rather widespread for menace actors and researchers to seek out uncovered cloud providers, equivalent to databases and storage buckets, and obtain the info contained in them.
Whereas researchers often responsibly disclose the uncovered information, if menace actors discover it, it may result in greater issues as they use it to extort corporations or promote it to different hackers to make use of in their very own assaults.
In 2017, safety researcher Chris Vickery discovered misconfigured Amazon S3 buckets exposing databases containing 1.8 billion social and discussion board posts made by customers worldwide.
Ten days later, the identical researcher found one other misconfigured S3 bucket that uncovered what seemed to be categorised info from INSCOM.
Whereas these breaches had been responsibly disclosed, different cloud service misconfigurations have led to the info being leaked or offered on hacker boards.
Misconfigured Amazon S3 buckets have develop into a sufficiently big drawback that researchers have launched instruments that scan for uncovered buckets.
The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has additionally launched steerage for corporations on methods to correctly safe cloud providers.
