Internal access credentials and critical data that could be used to harm the company's business operations were part of the exposed data, according to a blog post from UpGuard.
Viacom owns Paramount Pictures, as well as cable channels like MTV, Comedy Central and Nickelodeon and is the world's sixth largest media corporation.
The exposed data was found on 30 August by UpGuard Cyber Risk Research director Chris Vickery who has reported many similar leaks. The data was located at the subdomain "mcs-puppet" and contained 72 zipped files.
"Recurring throughout the contents of each decompressed file are mentions of Viacom, as well as its associated brands, including MTV, VH1, and Comedy Central – a clear indication of the data’s purpose and use," UpGuard said.
"Also frequently mentioned is the acronym 'MCS', including in the 'mcs-puppet' name of the subdomain - a further clue as to the bucket’s origin. As revealed in a number of descriptions posted within Viacom job listings, MCS likely refers to Viacom’s Multiplatform Compute Services."
The contents of the repository appeared to be either the primary or back-up configuration of Viacom's IT infrastructure.
Within the repository were passwords and manifests for Viacom’s servers, and data needed to maintain and expand the IT infrastructure of an US$18 billion multinational corporation and also Viacom’s access key and secret key for the corporation’s AWS account.
"By exposing these credentials, control of Viacom’s servers, storage, or databases under the AWS account could have been compromised. Analysis reveals that a number of cloud instances used within Viacom’s IT toolchain, including Docker, New Relic, Splunk, and Jenkins, could’ve thus been compromised in this manner," UpGuard said.
The UpGuard post said that several threat vectors were present in the data that was exposed.
"The control of Viacom digital properties could have enabled the execution of phishing schemes, using the corporation's brand recognition to trick consumers into furnishing their personal details," UpGuard said.
"The exposure of secret access keys to Viacom’s AWS account, as well as the control of the company’s server configurations and manifests, could also have allowed malicious actors to spin off additional servers to use Viacom IT systems as a botnet."