World Wrestling Entertainment, Inc. (WWE) has announced that the company is investigating an incident in which an unprotected database of more than 3 million registered users was discovered by a Bob Dyachenko of cyber security firm Kromtech.
According to Dyachenko, the database was discovered unprotected on Amazon Web Services S3 (AWS) containing personal details of users including names, email and home addresses, date of birth, genders, ethnicity, earnings, educational background and children’s age ranges.
Dyachenko told Forbes that the anyone with knowledge of which web address to search could have downloaded the database in plain text since it had no security on it, not even a password.
He also noticed another database hosted on Amazon server containing personal details of European WWE fans including names, addresses, and telephone numbers.
While it is unclear which department of WWE Corporation the database belongs to; Dyachenko believes the leak might have come from the marketing department as the data also contained social media tracking data including posts from WWE fans and Superstars.
Dyachenko informed the company about the vulnerability on 4th July, and according to the official statement from the WWE, the vulnerability ” has now been secured.” In a statement, WWE acknowledged the hack and stated that no credit card data or passwords were leaked.
“Although no credit card or password information was included, and therefore not at risk, WWE is investigating a vulnerability of a database housed on Amazon Web Services (AWS), which has now been secured. WWE utilizes leading cyber security firms Smartronix and Praetorian to manage data infrastructure and cyber security and to conduct regular security audits on AWS. We are currently working with Amazon Web Services, Smartronix, and Praetorian to ensure the ongoing security of our customer information,” said the statement.
Anurag Kahol, CTO at Bitglass commented on the issue and told HackRead that “This incident serves to highlight the shared responsibility model of the cloud and reinforces the fact that while cloud applications themselves can be secure, it is up to enterprises to use the applications securely. In relation to this specific case, there are technologies available today that could have quickly, easily and cost effectively encrypted the sensitive customer PII, en route to the cloud. This would ensure that even after unauthorized access, the data would be protected.”
This is not the first time when an unprotected database was discovered hosted on Amazon. Last month a secret Pentagon file was left unprotected on Amazon server containing 28GB of confidential data related to the US military project.
Sponsored: DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.