AWS Accidentally Exposes GoDaddy Server Usage, Pricing Information

Cloud computing

The world's largest public cloud provider, Amazon Web Services, exposed sensitive information about the world's largest Internet domain host, GoDaddy, including detailed server configurations and projections on resource usage, according to a report published Thursday by Engadget.

That exposed data, if it had been discovered by hackers or business rivals, could have compromised the AWS customer's security or competitive edge.

AWS acknowledged one of its sales agents left unsecured the S3 storage bucket containing spreadsheets chock-full of data. That employee "did not follow AWS best practices with this particular bucket," a spokesperson for the cloud provider said.

[Related: Accenture Latest Company To Leave Critical Data Exposed On Amazon Web Services Server]

But information those documents contained about AWS pricing rates specific to GoDaddy were "speculative," the spokesperson said.

The GoDaddy incident comes one year after a rash of data leaks prompted Amazon to warn its customers to better protect their S3 storage buckets.

Like many of those previous high-profile data leaks, cyber-security sleuth UpGuard found the unsecured bucket and notified the companies involved.

"The exposed documents include high-level configuration information for tens of thousands of systems and pricing options for running those systems in Amazon AWS, including the discounts offered under different scenarios," UpGuard wrote.

"Essentially, this data mapped a very large scale AWS cloud infrastructure deployment," the report said.

The GoDaddy documents included a list of configuration details of more than 30,000 GoDaddy servers, including information on hostnames, operating systems, CPU and memory resources, and workloads those systems were running.

That information—contained within several revisions of a Microsoft Excel spreadsheet sitting in a bucket called abbottgodaddy—could have given rival web hosting providers a competitive advantage, or even hackers information useful for an attack on the domain registrar, UpGuard noted.

In July of 2017, AWS responded to a string of data exposures by sending reminders to an undisclosed number of customers about S3 buckets in their accounts with no controls barring public access.

At the time, an AWS spokesperson told CRN: "With some recent public disclosures by third parties of Amazon S3 bucket contents that customers inadvertently configured to allow public access, we wanted to be proactive about helping customers make sure they don’t have bucket access they didn’t intend."

The email warnings came after reports of data leaks involving Verizon, Dow Jones, WWE, and the Republican National Convention shined a spotlight on a growing problem that was jeopardizing the privacy of millions of people.

AWS noted Thursday the exposed bucket with GoDaddy account information contained no information about the domain hosting provider's own customers.

GoDaddy said the documents "do not reflect work currently underway with Amazon."