It feels like every other day another tech startup is caught red-faced spilling reams of data across the internet because of a lapse in security. But even for technology giants like Amazon, it’s easy to make mistakes.
Security researcher Anurag Sen found a database packed with Amazon Prime viewing habits stored on an internal Amazon server that was accessible from the internet. But because the database was not protected with a password, the data within could be accessed by anyone with a web browser just by knowing its IP address.
The Elasticsearch database — named “Sauron” (make of that what you will) — contained about 215 million entries of pseudonymized viewing data, such as the name of the show or movie that is being streamed, what device it was streamed on, and other internal data, like the network quality and details about their subscription, such as if they are a Amazon Prime customer.
According to Shodan, a search engine for internet-connected things, the database was first detected as exposed to the internet on September 30.
While disconcerting that a company of Amazon’s size and wealth could leave such a huge cache of data on the internet for weeks without anyone noticing, based on our review, the data cannot be used to personally identify customers by name. But the lapse highlights a common problem that underpins many data exposures — misconfigured internet-facing servers that are left online without a password for anyone to access.
Sen provided details of the database in an effort to get the data secured, and passed the information to Amazon out of an abundance of caution. The database was inaccessible a short time later.
“There was a deployment error with a Prime Video analytics server. This problem has been resolved and no account information (including login or payment details) were exposed. This was not an AWS issue; AWS is secure by default and performed as designed,” said Amazon spokesperson Adam Montgomery.