Exposed to the world were secret API data, authentication credentials, certificates, decryption keys, customer information and other data that could have been used to attack both the company and its clients.
Accenture’s customers “include 94 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500”.
The exposed data was found on 17 September by UpGuard director of Cyber Risk Research, Chris Vickery, who has made a large number of similar discoveries. Four Amazon Web Services S3 storage buckets were found set up for public access and with their contents downloadable by anyone who accessed the sites using their Web address.
All four of the S3 buckets contained sensitive data about Accenture Cloud Platform, its inner workings, and Accenture clients using the platform. "All were maintained by an account named 'awsacp0175', a possible indication of the buckets’ origin."
One bucket, “acpcollector”, was used to store data that was needed to have visibility into, and maintenance of, Accenture’s cloud stores. There were VPN keys used in production for Accenture’s private network which meant that a master view of Accenture’s cloud ecosystem could be exposed.
"Also contained in the bucket are logs listing events occurring in each cloud instance, enabling malicious actors to gain far-reaching insight into Accenture’s operations," O'Sullivan wrote.
The bucket “acp-deployment” included configuration files for Accenture's Identity API and a document listing the master access key for Accenture’s account with Amazon Web Service’s Key Management Service. This meant an an unknown number of credentials were exposed to possible malicious use.
The "acp-software" bucket contained huge database dumps that included credentials, some being of Accenture clients. "While many of the passwords contained here are hashed, nearly 40,000 plaintext passwords are present in one of the database back-ups," O'Sullivan said.
"Access keys for Enstratus, a cloud infrastructure management platform, are also exposed, potentially leaking the data of other tools co-ordinated by Enstratus. Information about Accenture’s ASGARD database, as well as internal Accenture email info, are also contained here."
UpGuard said the exposed buckets could have left both Accenture and its thousands of top-flight corporate customers open to malicious attacks that could have done untold financial damage.
"It is possible a malicious actor could have used the exposed keys to impersonate Accenture, dwelling silently within the company’s IT environment to gather more information. The spectre of password re-use attacks also looms large, across multiple platforms, websites, and potentially hundreds of clients."
Contacted for comment, an Accenture spokesperson told iTWire: "There was no risk to any of our clients – no active credentials, PII (personally identifiable information) or other sensitive information was compromised.
"We have a multi-layered security model, and the data in question would not have allowed anyone that found it to penetrate any of those layers. The information involved could not have provided access to client systems and was not production data or applications."