Time Warner Cable subscriber records stored on Amazon server without a password
04 Sep 2017
Around four million records containing the personal details of Time Warner Cable (TWC) subscribers were discovered stored on an Amazon server without a password late last month.
The files, over 600GB in size, were discovered on 24 August by the Kromtech Security Cente even as its researchers investigated an unrelated data breach at World Wrestling Entertainment.
The researchers found two Amazon S3 buckets linked to BroadSoft, a global communications company that partners with service providers, including AT&T and TWC.
The TWC record information was not unique for all details exposed, instances of duplicate information, were also seen, meaning the breach ultimately exposed less than four million customers. But due to the size of the cache, however, the researchers could not immediately say precisely how many were affected.
The leaked details included usernames, emails addresses, MAC addresses, device serial numbers, and financial transaction information, but Social Security numbers or credit card information was not exposed.
Charter Communications acquired Time Warner Cable last year and is now called Spectrum, though the leaked records date back from this year to at least 2010.
Other databases revealed billing addresses, phone numbers and other contact inform for at least hundreds of thousands of TWC subscribers.
The servers also contained internal company records, including SQL database dumps, internal emails, and code containing the credentials to an unknown number of external systems.
BroadSoft, a communication software and service provider used by Time Warner Cable, left in excess of 600 GB of private files publicly accessible online in two separate Amazon Web Services repositories, Kromtech Alliance's security research team said in a blog post on Friday.
The BroadSoft data was not properly configured to allow public access in AWS, Kromtech said.
Kromtech added that most of the exposed data appeared to be related to Time Warner Cable, Bright House Networks and AMC Network.
One of the files contained over 4 million records including usernames, account numbers, transaction IDs and other info spanning 26 November 2010 to 7 July 2017.