Amazon Left Massive Prime Video Telemetry Database Unsecured Online

A security researcher discovered a massive online unsecured database belonging to Amazon that was hosting Prime telemetry with more than 215 million entries.

Unsecured databases are a huge problem, especially for very large companies. In some situations, researchers need rapid access to some database, but entering credentials every time they access seems cumbersome. So they choose to either disable authentication or deploy it wrongly from the start.

As it turns out, Amazon says the Elasticsearch database dubbed Sauron was actually just suffering a deployment error in this situation. Elasticsearch databases are often used by people who need to search quickly for specific items inside vast datasets.

According to a TechCrunch report, security researcher Anurag Sen found the exposed database when using the Shodan search engine, which is typically used to find internet-connected servers that serve Internet of Things infrastructures, such as webcams, routers and so on.

There was no protection and anyone who simply knew the IP address could connect and download it. The good news is that the data it held didn’t have any personal Identifiable Information (PII) that would allow a third party to identify users. The database did contain information on which devices people use, viewing data on TV shows and movies, network quality, and much more.

Soon after Amazon was contacted about the issue, the database was secured and no longer available from the outside.

“There was a deployment error with a Prime Video analytics server. This problem has been resolved and no account information (including login or payment details) were exposed,” said Amazon spokesperson Adam Montgomery to TechCrunch. “This was not an AWS issue; AWS is secure by default and performed as designed.”