350 million email addresses exposed on misconfigured AWS S3 bucket

It is still unclear who owned the misconfigured Amazon S3 bucket.


Running out of introductions for reporting on something that happens so often. Just yesterday it was reported that a medical software firm exposed 3.1 million patients’ data to the public. In the latest, it has been found that 350 million unique email addresses were sitting exposed on a misconfigured Amazon S3 bucket for public access without any security authentication.

Discovered by CyberNews; the data was composed of a total of 67 CSV files, a portion of which could be further divided into the following:

  1. 7 files with plaintext email addresses numbering 50 million
  2. 7 files with hashed email addresses
  3. 7 files with hashed and salted email addresses using MD5

Image: CyberNews

According to the timestamps observed along with the files, it can be deduced that the files were uploaded at different times with the hashed and salted emails coming first whereas the plaintext emails at the very last:

Image: CyberNews


According to CyberNews’ blog post, the remaining files included other data such as the voice recording of people pitching a product named “Repwatch” which has now stopped its services.

A forum discussion post on Repwatch from 2013

As for the timeline of the data exposure, the researchers believe that the data may have been acquired from a black market in 2018 by the unknown owner and then uploaded to the bucket. This makes it exposed for over 18 months starting from then till June 10 – a couple of months ago when Amazon closed it following a report by the researchers.


The incident should not come as a surprise since misconfigured databases have exposed billions of sensitive records in the last couple of years. In fact, the situation is so critical that according to a new poll database configuration errors are the number one threat to cloud security.

To conclude, currently, it is recommended that every reader does a quick search of their email address on a breach notification service to know if their email address was included in these CSV files. Doing so can help you be on the lookout for the attacks that could follow such as phishing campaigns, brute-forcing, and other types of social engineering attacks.

On the other hand, changing your password may also be a good option just in case. Finally, the possibility of sophisticated identity theft should also be kept in mind even if these are only email addresses as the researchers state:

In the worst-case scenario, an exceptionally successful phishing or social engineering attack can even lead to identity theft, whereby attackers accrue so much personal data from their target that they are then able to take out loans in their victim’s name.


You may also like...