Viacom left master keys exposed on a public AWS server

"The potential nefarious acts made possible by this cloud leak could have resulted in grave reputational and business damages for Viacom, on a scale rarely seen."

The American media giant Viacom left one gigabyte of sensitive files publicly exposed, according to researchers from the cybersecurity firm UpGuard.

It’s the latest in a long string of incidents in which a wide spectrum of companies have found out that moving to cloud computing like Amazon Web Services can come with cybersecurity pitfalls resulting from misconfiguration mistakes.

The exposed files included Viacom’s secret cloud keys — information that a hacker could have used to take control of the company’s cloud servers.

“Such a scenario could enable malicious actors to launch a host of damaging attacks, using the IT infrastructure of one of the world’s largest broadcast and media companies,” UpGuard’s Dan O’Sullivan explained. “The potential nefarious acts made possible by this cloud leak could have resulted in grave reputational and business damages for Viacom, on a scale rarely seen.”


UpGuard researcher Chris Vickery originally found the leak Aug. 30 and notified Viacom the next day. The exposure was eliminated within hours.

“Once Viacom became aware that information on a server including technical information — but no employee or customer information — was publicly accessible, we rectified the issue,” a company spokesperson told CyberScoop. “We have analyzed the data in question and determined there was no material impact.”

“While Viacom has not confirmed to UpGuard the purpose of this bucket, the contents of the repository appear to be nothing less than either the primary or backup configuration of Viacom’s IT infrastructure,” O’Sullivan wrote in UpGuard’s announcement of the incident.

Vickery’s discovery comes on the heels of similar finds, including sensitive data from 14 million Verizon customers exposed on a public server, 200 million registered voters’ data exposed on a public server and 60,000 Pentagon files exposed on a Booz Allen Hamilton server mistakenly made public.

Although he’s certainly made a name for himself sniffing out such data, Vickery’s finds represent only the tip of the iceberg: Around 175,000 misconfigured cloud software and services were spotted this year alone by the cybersecurity nonprofit GDI Foundation.


In response, Amazon launched a product called Macie last month aiming to alert users to misconfigurations and security risks.

“Amazon Macie is a security service that uses machine learning to automatically discover, classify, and protect sensitive data in AWS,” the product’s website reads. “Amazon Macie recognizes sensitive data such as personally identifiable information (PII) or intellectual property, and provides you with dashboards and alerts that give visibility into how this data is being accessed or moved.”

Introduced in August, Macie is already being used by companies like Netflix to continuously monitor data in its AWS environment.

But whether cloud providers like Amazon and Microsoft can make Vickery’s job of hunting exposed data any harder remains to be seen.

This post was updated to add a statement from a Viacom spokesperson.

Latest Podcasts