19.6 Billion Files Exposed in Misconfigured Cloud Buckets Across Major Providers
What Happened – Researchers at Mysterium VPN scanned 535,480 publicly listable cloud storage buckets on Amazon S3, Google Cloud, Azure, DigitalOcean and Alibaba and identified roughly 19.6 billion files that could be accessed without authentication. Among them were 685 k credential files (e.g., .env, private keys, password‑vault databases) and nearly 1 million database dumps (.sql, .bak). No exploitation was required – a simple web request revealed the data.
Why It Matters for TPRM –
- Mis‑configured storage is a systemic third‑party risk that can affect any organization using cloud buckets.
- Exposure of credentials and full database exports provides attackers with “master keys” to compromise downstream systems.
- The sheer volume (billions of files) indicates that many vendors lack adequate governance, monitoring, and configuration‑as‑code controls.
Who Is Affected – SaaS providers, fintech platforms, health‑tech/EHR vendors, retail e‑commerce sites, government agencies, and virtually any business that stores data in public cloud buckets.
Recommended Actions –
- Conduct an inventory of all third‑party cloud buckets used by your vendors and verify that they are not publicly listable.
- Enforce bucket‑level access controls (IAM policies, bucket policies, ACLs) and enable server‑side encryption.
- Deploy automated misconfiguration scanning tools (e.g., CSPM) and integrate findings into your vendor risk program.
- Require vendors to provide evidence of regular cloud‑security posture assessments and remediation processes.
Technical Notes – Attack vector: MISCONFIGURATION of cloud storage buckets. No CVE is involved; the issue stems from missing or overly permissive IAM policies. Exposed data types include credential files (.env, .kdbx, private keys), database dumps (.sql, .bak), and a wide range of business documents (invoices, passports, KYC files). Source: SecurityAffairs – 19.6 Billion Files Are Sitting Open on the Internet. No Password Required