Dutch security researcher Jelle Ursem has discovered a large-scale data breach at Fujitsu. Private AWS keys, customer data and plaintext passwords were publicly available on the internet for a year.
The information could be found in a publicly accessible Microsoft Azure storage bucket, Ursem, who is affiliated with the Dutch Institute for Vulnerability Disclosure, among others, tells The Stack. The bucket was called 'fjbackup' and contained several OneNote files with 'everything you need to know' about the company's customers, including the Dutch water company PWN. PWN supplies drinking water to more than 800,000 families, companies and institutions in North Holland.
The found bucket also contained a CSV file with passwords extracted from password manager LastPass and stored in plain text. It also contained a complete backup of a mailbox, containing thousands of emails and sensitive data. The bucket also contained extensive details about customer and team activities.
The bucket was open on the internet between March 2022 and early 2023. Ursem discovered the bucket in early 2023 and reported it to Fujitsu, which took some effort, according to the researcher. According to Ursem, Fujitsu does not have a clear place where security reports can be made. Through an internal contact, Ursem eventually managed to report the data breach and the bucket was taken offline in the spring of 2023. It is not known whether other people or organizations also came across the bucket during the time it was public. It is also unclear whether the information in the bucket has been used for malicious purposes. Ursem, who is active on Tweakers as Schizoduckie, regularly finds data in public sources. Tweakers spoke to him about this in an interview in 2022.
Update 2:38 PM – The article stated that an AWS bucket had been leaked. However, this is a Microsoft Azure bucket. The article has been adjusted accordingly.
Leave a Reply
You must be logged in to post a comment.