Jump to content

AVFC data breach 2024


Recommended Posts

2 hours ago, Talldarkandransome said:

Club statement on this AWS S3 bucket data issue, I'm guessing we'll start receiving random emails about the car accidents we've had or things we've googled recently.

I had to Google what this was

What?  Is this about Man Utd’s leaky roof?

Link to comment
Share on other sites

1 hour ago, Talldarkandransome said:

I deal with AWS all the time, I'd never heard of an S3 bucket though. Surprised they have been compromised though

S3 is a fast access storage type with Amazon. All of my websites (for work) are in that kind of storage. Will be checking out security settings in the morning. <_<

Link to comment
Share on other sites

22 minutes ago, choffer said:

S3 is a fast access storage type with Amazon. All of my websites (for work) are in that kind of storage. Will be checking out security settings in the morning. <_<

Had the same thought 🙂

Link to comment
Share on other sites

AWS buckets are extremely useful, the onus is however on the user to tailor the permissions and privacy settings….im guessing that someone left it as accessible to everyone instead….

Link to comment
Share on other sites

What does all this technical jargon mean? Give it to us in plain English. Never mind AWS bucket, call a spade a spade. 

  • Haha 1
Link to comment
Share on other sites

If the details in this article are true, I suspect we'll be getting a rather large fine from the ICO

Not only is it absolute negligence to allow this to happen, to fail to disclose it upon learning about it is a huge no-no.

https://cybernews.com/security/aston-villa-fc-security-gaps-expose-fans/

Quote

Aston Villa Football Club (AVFC) left a publicly leaking Amazon Web Services (AWS) S3 bucket containing the personally identifiable information of 135,770 individuals. The affected fans are vulnerable to spear phishing, social engineering attacks, and identity theft attempts.

On March 13th, 2024, the Cybernews research team discovered a publicly accessible AWS S3 bucket (cloud storage service). The storage likely belongs to Aston Villa Football Club, as it contained 135,770 member records among 5842 exposed CSV files used for storing data.

The exposed personal information contains the following:

 
  • Full names
  • Dates of Birth
  • Home addresses
  • Phone numbers
  • Email addresses
  • Membership details
  • Purchase details (date, method of payment, type of membership purchased).

Cybersecurity researchers warn that “the exposure of personally identifiable information presents a series of severe information security implications and risks to the club’s fans.”

The leaking bucket was labeled “prod” in its name, which suggests it could be used to store and manage data used in AVFC’s operational and production environments.

After responsible disclosure, the bucket is no longer public. Cybernews has reached out to AVFC for additional comments, but we have yet to receive a response.

Therefore, it’s unclear what caused the leak or whether other third parties have compromised the bucket.

 

Link to comment
Share on other sites

Posted (edited)
On 23/05/2024 at 07:21, sidcow said:

What does all this technical jargon mean? Give it to us in plain English. Never mind AWS bucket, call a spade a spade. 

They chucked all of our names, dates of birth, full addresses, email and phone number into a filing cabinet, and left that filing cabinet in a room with an unlocked door and hoped that nobody ever looked in it.

Edited by Davkaus
Link to comment
Share on other sites

On 22/05/2024 at 21:32, Pongo Waring said:

Nothing been leaked according to https://haveibeenpwned.com/

A data leak not appearing here doesn't mean it didn't happen., tis site only knows about datasets that are publicly available. They only know about a small fraction of hacks.

For this specific breach there are two possibilities:

1. It was only ever discovered by these white hat hackers, and nobody has our data

2. Other people have indexed our data but haven't shared it around to the extent that HIBP have found it and added it to their data set.

  • Like 1
Link to comment
Share on other sites

12 hours ago, Davkaus said:

A data leak not appearing here doesn't mean it didn't happen., tis site only knows about datasets that are publicly available. They only know about a small fraction of hacks.

For this specific breach there are two possibilities:

1. It was only ever discovered by these white hat hackers, and nobody has our data

2. Other people have indexed our data but haven't shared it around to the extent that HIBP have found it and added it to their data set.

I have access to better intelligence than HIPB (through work) and as yet my data hasn't shown up. I suspect if t does, it'll be rolled up into a pastebin as it's too small a dataset to be valuable and doesn't contain passwords. It could also be that this data is about members, but not ST holders.

But this is why I make up a fake DoB on each site that insists on collecting such stupid data. If anyone reading this is building systems or processes that use DoB as an identifier need to retain my consultancy services :mrgreen:

  • Like 3
Link to comment
Share on other sites

1 hour ago, limpid said:

I have access to better intelligence than HIPB (through work) and as yet my data hasn't shown up. I suspect if t does, it'll be rolled up into a pastebin as it's too small a dataset to be valuable and doesn't contain passwords. It could also be that this data is about members, but not ST holders.

But this is why I make up a fake DoB on each site that insists on collecting such stupid data. If anyone reading this is building systems or processes that use DoB as an identifier need to retain my consultancy services :mrgreen:

You do look good for someone who it says is 73 ... 

  • Haha 3
Link to comment
Share on other sites

6 minutes ago, LancsVillan said:

You do look good for someone who it says is 73 ... 

But are you still older than me? :mrgreen:

  • Like 1
Link to comment
Share on other sites

×
×
  • Create New...
Â