Security Market Segment LS
Wednesday, 11 October 2017 08:23

Accenture's crown jewels found exposed in unsecured AWS buckets Featured


Global corporate consulting and management firm Accenture left at least four cloud-based storage servers unsecured and open to the public, the security company UpGuard has found.

Exposed to the world were secret API data, authentication credentials, certificates, decryption keys, customer information and other data that could have been used to attack both the company and its clients.

Accenture’s customers “include 94 of the Fortune Global 100 and more than three-quarters of the Fortune Global 500”.

The exposed data was found on 17 September by UpGuard director of Cyber Risk Research, Chris Vickery, who has made a large number of similar discoveries. Four Amazon Web Services S3 storage buckets were found set up for public access and with their contents downloadable by anyone who accessed the sites using their Web address.

"A cursory analysis on 18 September of the four buckets — titled with the AWS subdomains 'acp-deployment', 'acpcollector', 'acp-software', and 'acp-ssl' — revealed significant internal Accenture data, including cloud platform credentials and configurations, [and this] prompted Vickery to notify the corporation; the four AWS servers were secured the next day," UpGuard's Dan O'Sullivan wrote in a detailed description of the find.

All four of the S3 buckets contained sensitive data about Accenture Cloud Platform, its inner workings, and Accenture clients using the platform. "All were maintained by an account named 'awsacp0175', a possible indication of the buckets’ origin."

One bucket, “acpcollector”, was used to store data that was needed to have visibility into, and maintenance of, Accenture’s cloud stores. There were VPN keys used in production for Accenture’s private network which meant that a master view of Accenture’s cloud ecosystem could be exposed.

"Also contained in the bucket are logs listing events occurring in each cloud instance, enabling malicious actors to gain far-reaching insight into Accenture’s operations," O'Sullivan wrote.

The bucket “acp-deployment” included configuration files for Accenture's Identity API and a document listing the master access key for Accenture’s account with Amazon Web Service’s Key Management Service. This meant an an unknown number of credentials were exposed to possible malicious use.

The "acp-software" bucket contained huge database dumps that included credentials, some being of Accenture clients. "While many of the passwords contained here are hashed, nearly 40,000 plaintext passwords are present in one of the database back-ups," O'Sullivan said.

"Access keys for Enstratus, a cloud infrastructure management platform, are also exposed, potentially leaking the data of other tools co-ordinated by Enstratus. Information about Accenture’s ASGARD database, as well as internal Accenture email info, are also contained here."

UpGuard said the exposed buckets could have left both Accenture and its thousands of top-flight corporate customers open to malicious attacks that could have done untold financial damage.

"It is possible a malicious actor could have used the exposed keys to impersonate Accenture, dwelling silently within the company’s IT environment to gather more information. The spectre of password re-use attacks also looms large, across multiple platforms, websites, and potentially hundreds of clients."

Contacted for comment, an Accenture spokesperson told iTWire: "There was no risk to any of our clients – no active credentials, PII (personally identifiable information) or other sensitive information was compromised.

"We have a multi-layered security model, and the data in question would not have allowed anyone that found it to penetrate any of those layers. The information involved could not have provided access to client systems and was not production data or applications."


26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments