Verizon
Internal Verizon data was exposed, but the breach did not impact customers Scott Olson/Getty Images

A database containing sensitive – and potentially confidential – internal information linked to US communications giant Verizon Wireless was recently found on the web without adequate password protection, a team of US cybersecurity researchers has revealed.

On 20 September 2017, experts from Kromtech – a security division of software company MacKeeper – found a publicly accessible Amazon Web Services (AWS) database (also known as an S3 bucket) that contained roughly 100MB of Verizon Wireless files and folders.

The data, the team found upon analysis, was linked to a Verizon system known as Distributed Vision Services (DVS), which is used to manage front-end applications.

Kromtech said in its report – published Friday (22 September) – that two of the files were named "VZ Confidential" and "Verizon Confidential".

The folders allegedly included usernames and passwords that could have "easily allowed access to other parts of Verizon's internal network." It is not believed that customer data was exposed in the leak.

One of the exposed files contained more than 120 Outlook emails, with some referencing internal communications, logs and servers.

Kromtech researchers said that the database – which has now been removed – was "self-owned" by a Verizon Wireless engineer and not managed by the company.

A Verizon spokesperson did not immediately respond to request for comment from IBTimes UK.

The employee responsible for the database was not named by the cybersecurity firm, and it remains unclear how long the data was publicly accessible.

According to the team's report, the Verizon staffer later claimed– despite the seemingly sensitive file names – "no confidential stuff" was put at risk.

Nevertheless, the repository contained data including: B2B payment server names, slideshows showing alleged Verizon infrastructure, global router hosts and administrator details.

"An improperly configured S3 can lead to viewing, uploading, modifying, or deleting S3 objects by third parties," said Alex Kernishniuk, vice president of Kromtech strategy.

"To prevent S3 data loss [and] unexpected charges on your AWS bill, you need to grant access only to trusted entities by implementing the appropriate access policies," he added.

"Bruteforce tools are already scanning all possible bucket names, analysing configurations letter by letter and getting closer to your information every minute."

This is not the first time Verizon data has been exposed in this manner.

Back in July 2017, a security firm called UpGuard found that a third-party company had left the personal details of "up to 14 million" Verizon customers exposed on a cloud server.

At the time, the snafu was blamed on a misconfigured AWS S3 bucket.

Bob Diachenko, Kromtech's chief security officer, said following the fresh disclosure: "Our primary goal is to notify and secure the data, not dispute if [Verizon] is being honest or not."

"As more and more data leaks occur it makes consumers, and average individuals more vulnerable online," he continued. "We believe that companies have an obligation to not only take the proper security measures but also protect the data their employees collect and store".