- Researchers discovered an unprotected Amazon S3 bucket that contains 6.2 million email addresses.
- The uploading of the data seems to have happened in the context of a political campaign.
- The data remained accessible for almost a full decade, but it is unknown if anyone downloaded it.
According to a revelation by the UpGuard Data Breach Research Team, an employee of the Democratic Senatorial Campaign Committee (DSCC) has uploaded around 6.2 million email addresses onto a misconfigured Amazon S3 storage bucket named “toclinton”. The email addresses pertain to government agency employees, high-standing members of the military, agents of major email providers, universities, and more. The email addresses were originally uploaded onto the bucket in 2010, but UpGuard only discovered it on July 25, 2019, and disclosed the finding just yesterday and after it has been secured.
The way it was configured, the particular bucket was accessible by anyone with a free AWS account. The content of the bucket consisted of a single file named “EmailExcludeClinton.zip”, which in turn contained a 145MB .csv file with the 6235397 million email addresses. This list is probably an “exclusion” list of people who should not receive DSCC marketing emails in relation to the Hillary Clinton campaign to be nominated for a presidential candidate. While the permissions of the particular bucket allowed anyone to download or even modify its contents, the researchers found no evidence that someone had touched the .csv file as the last change on the list registers back on September 17, 2010.
Data collection and analysis are critical in political campaigns today, but at the same time, the need for responsible data management that would minimize the risk for data exposure is more imperative than ever. In this case, the data stayed unprotected and available for anyone to access for almost nine years. Some may think that email addresses alone aren’t anything to worry about, but in the context of being part of an exclusion list belonging to a particular political party, malicious actors could find multiple ways to take advantage of this data.
Hillary Clinton demonstrated her own carelessness in 2016 when she used a private email server instead of the official State Department email accounts to send over 100 email messages that were marked as “Top Secret” and “Secret”. More recently, we saw how 90% of the candidates for the upcoming 2020 US national elections are not deploying advanced email security and authentication systems that would minimize the BEC attack risks. All in all, politicians and the vast ecosystem that works feverishly during pre-election periods introduce unprecedented dangers for the data of individuals and organizations alike. It’s time to regulate the whole process and secure this data through specific procedures, and not just rely on the technical competence and accountability of the people involved in the data management of political campaigns.