The vpnMentor cybersecurity research team uncovered a leaking S3 Bucket with over 270k records and greater than 343GB in size on an Amazon server, belonging to Doxzoo. There are potentially over 100,000 users affected by this data leak, with implications not only for copyright violations, but also American and British military data exposure.
Doxzoo is a document printing and binding production company, based in the U.K., and services customers globally since 2014. The data leak includes print jobs for many high-profile clientele, including elite universities, U.S. and U.K. military branches, Fortune 500 companies and many more. On their website, Doxzoo boasts ISO accreditation for security.
Led by Noam Rotem and Ran Locar, the cybersecurity research team easily identified Doxzoo as the owner of the database and contacted the company with their findings. However, Doxzoo never responded to their communication attempts. They only closed the data leak after the researchers reached out to Amazon.
According to the researchers, Doxzoo has a handful of high-profile customers for whom they are executing a variety of print jobs, including complete scripts and screenplays, full-length books, sought-after paid wellness plans, and internal military handbooks, to name a few projects. They also get requests from private individuals who order family scrapbooks (complete with pictures of the kids), bachelorette souvenirs with potentially compromising photos of the bride-to-be, and more. Additionally, Doxzoo seems to regularly request full scans of photo IDs (such as passports) to fulfill orders.
Some of the data that was impacted includes:
- PII
- Full names
- Addresses
- Email addresses
- Passport scans
- PCI
- Payment method
- Last four digits of payment method
- Order details (items ordered, date, amount/receipt)
- Tracking labels
- Copyrighted Publications
- Full-length books
- Screenplays
- Scripts for one of the top TV series around the world
- Paid Programs
- University course material (including elite institutions)
- Diet and exercise plans
- Exam preparation classes
- Teacher’s guides with answers for tests
- Certifications, diplomas, and degrees
- Medical documents, log books, etc.
- Musical compositions
- Religious texts
- Floor plans detailing various security elements
- Internal military documents (including classified information)
In addition, the leak impacts the U.S., U.K., Sri Lanka, Nigeria and India. The researchers note that items contained this leak often hold private and/or confidential information within. "The promise of secure facilities and systems are key selling points for clients such as the military, and the breach of that guarantee is not only a failure in service, but also potentially holds a security risk along with it," notes the report.
For more information, visit the vpnMentor report.