[yeukhon]

Time Warner Cable also had the same data breach. I wonder by passwordless did they mean someone was able to do a ls command on the bucket and was able to download as a public/anon user (direct s3 link)? If this was done I bet you someone probably didn't have time to implement secure link, just decided to make the bucket open.

[ufmace]

> someone probably didn't have time to implement secure link, just decided to make the bucket open.

That sounds more likely. AWS permissions are tricky, but not so tricky that it's easy to leave a bucket wide open like that. In my experience, they're much more likely to lock out someone who should be able to access them than to allow someone who shouldn't. Just bad practice to give up and allow anyone in.

[yeukhon]

Another possibility: someone was doing testing (and at thr stage too lazy), they made it public, and forgot about it even after they implemented authorization at the application level. Could have used trusted advisor...

[pmiller2]

There's always time to implement basic security when it comes to personally identifiable info. This was simple ineptitude.

[yeukhon]

Yes agree, but incident like this usually orginatrd from laziness/ forgetting about turning the switch off.