Two major PDF creation tools, both owned by the same company, were reportedly operating a misconfigured database that leaked sensitive user data to the internet via an exposed Amazon S3 bucket.
Researchers from Cyber News According to PDF Pro and Help PDF, they have leaked over 89,000 documents so far and are apparently continuing to do so. The tools are owned by the same legal entity, are registered in the UK, and have a similar design, as they both offer similar services: converting, compressing, editing and signing PDF documents.
Meanwhile, users continue to upload sensitive files, including passports, driving licenses, various certificates, contracts, as well as other documents and information, unaware that they are now accessible to anyone who knows where to look for them.
Unprotected databases
“With access to personal documents, criminals can engage in a variety of fraudulent activities, such as applying for loans, renting properties or purchasing expensive items using the victim’s identity,” the researchers said.
At the same time, the company that leaks the information could face significant fines if some of the documents belong to European Union (EU) citizens, since in that case they fall under strict GDPR rules.
The company is keeping quiet for now, but it's safe to assume that the Amazon S3 bucket will be blocked fairly soon (if it isn't already by the time you're reading this).
Unprotected databases remain one of the biggest causes of information leaks and data breaches. Many companies, including large enterprises and even government organizations, have so far managed to leak millions of data records, with their employees mistakenly saving a file on the Internet without any protection.
Online services, especially free ones, are not exactly known for their data protection practices, so it is recommended to be very careful in any case.
