Blockchain technology solutions company OwlTing inadvertently leaked sensitive data of 765,000 users due to an open access setting on their AWS storage (S3). The breach primarily affected hotel guests in Taiwan.
Discovery
On July 29, the Cybernews research team discovered a misconfigured Amazon S3 bucket during a routine OSINT investigation. The S3 bucket stored a large number of files. S3 buckets are simple cloud storage containers on Amazon Web Services (AWS), akin to folders used for storing files.
Over 168,000 CSV and XLSX documents in the bucket contained personally identifiable information (PII) of more than 765,000 customers.
The breach was attributed to OwlTing, a Taiwanese company renowned for providing blockchain solutions across various sectors, including global tourism, food safety, hospitality, media, and other e-commerce fields.
Company Response
OwlTing confirmed the incident and took appropriate measures to seal the leak. However, the company downplayed the severity of the incident, stating that “no sensitive data was involved.”
Cybernews researchers warned: “The exposure of personal information, such as names, phone numbers, and hotel booking details, can lead to various forms of identity theft and fraud, posing serious risks to affected individuals.”
Data Leaked
The leaked data appears to be related to hotel management services and includes booking details from popular platforms like Booking and Expedia.
The leaked data includes:
- Full names
- Phone numbers and some email addresses
- Hotel booking details, such as order dates, check-in and check-out dates, room numbers and types, paid and unpaid amounts, currencies, and the booking service used.
Only around 3,000 email addresses were leaked, with most of the exposed information being phone numbers. The total number of leaked records approached 9 million.
Over 92% of the leaked phone numbers belonged to Taiwanese users. The data set also included thousands of users from Japan, Hong Kong, Singapore, Malaysia, Thailand, and South Korea. There were very few American users, but the data included hundreds of users from most European countries.
Potential for Exploitation
Cybernews researchers warned that the leaked data is extremely valuable to cybercriminals skilled in spear phishing, vishing (voice phishing), smishing (SMS phishing), and other social engineering attacks. Additionally, this data could be combined with other previously leaked data to attempt financial fraud or account takeover attacks.
“Attackers could leverage past hotel booking details to launch highly convincing phishing attacks. For example, a text message or email mentioning a previous stay at a hotel, asking for feedback or offering discounts for future bookings, could entice individuals to click on malicious links or provide further personal information,” researchers warned.
Scammers might call or text users, posing as hotel staff or related service personnel, asking for sensitive information like credit card numbers or passwords. Additionally, a long list of phone numbers could be used for illegal autodialing.
Doxxing is another serious threat, where cybercriminals search the internet for sensitive materials that can be used for financial or personal gain.
Cybercriminals use AI and other tools to launch large-scale attacks automatically.
The Cybernews research team could not verify if this data was accessed by any threat actors or third parties. We contacted OwlTing for further comments but did not receive a response before publication.
Caution with Amazon S3 Buckets
Organizations relying on cloud resources to manage sensitive information should implement robust security measures for their S3 buckets.
If an Amazon S3 bucket is exposed, Cybernews researchers recommend the following mitigation steps:
- Change access controls to restrict public access and secure the bucket. Update permissions to ensure that only authorized users or services have the necessary access.
- Monitor retrospective access logs to assess whether the bucket has been accessed by unauthorized parties.
- Enable server-side encryption to protect data at rest.
- Use AWS Key Management Service (KMS) to securely manage encryption keys.
- Implement SSL/TLS for data in transit to ensure secure communication.
- Consider implementing best security practices, including regular audits, automated security checks, and staff training.
OwlTing, founded in 2010 and headquartered in Taiwan, specializes in providing blockchain technology solutions for various industries. The company operates globally with offices in the US, Japan, Malaysia, Thailand, and Singapore.
Disclosure Timeline
- July 29, 2024: Breach discovered.
- August 2, 2024: Initial disclosure email sent, followed by multiple subsequent emails.
- September 13, 2024: Notified Taiwan CERT.
- September 19, 2024: Data access closed.
This article is written by Duyan Intelligence.
I'm Carrie, a cybersecurity engineer and writer, working for SafeLine Team. SafeLine is an open source web application firewall, self-hosted, very easy to use.
Top comments (0)