Unsecured buckets could have been used for “critical” secondary attacks

A team of researchers has uncovered a trove of sensitive data left on exposed servers and belonging to global management consulting firm, Accenture.

On September 17, the UpGuard Cyber Risk Team found at least four unsecured cloud storage buckets, which contained publicly downloadable API data, authentication credentials, certificates, decryption keys, and customer information that could have been used to attack both Accenture and its clients.

According to UpGuard, the buckets’ contents appeared to be the software for the corporation’s enterprise cloud offering, Accenture Cloud Platform, a multi-cloud management platform used by Accenture’s customers, which include 94 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500.

“With a CSTAR cyber risk score of 790 out of a possible 950, this cloud leak shows that even the most advanced and secure enterprises can expose crucial data and risk serious consequences,” explained UpGuard’s Dan O’Sullivan.

While the four S3 buckets were secured the following day, the researcher said it was “hard to overstate” the significance of Accenture’s web security blunder.

“In the hands of competent threat actors, these buckets, accessible to anyone stumbling across their URLs, could have exposed both Accenture and its thousands of top-flight corporate customers to malicious attacks that could have done an untold amount of financial damage,” O’Sullivan said.