Cyble’s ODIN vulnerability search tool has detected more than 200 billion exposed files in cloud buckets across seven major cloud providers.
The 200 billion exposed files reflect the sheer scale of accidental data exposure on the internet, data that’s often left publicly accessible due to misconfigurations. The files include data ranging from documents and credentials to source code and internal backups.
The ODIN platform scans cloud buckets at scale and classifies exposed content using machine learning-based detection. ODIN has also detected more than 660,000 exposed buckets, in addition to more than 91 million exposed hosts.
Cyble monitors and classifies these datasets to help organizations reduce their attack surface.
Exposed Credentials, Source Code and Confidential Files
Filtering the ODIN data for just three sensitive data types yielded millions of credentials, source code and confidential files (images below; URLs and identifying information redacted).
Filtering for “source code” and the Go language, for example, yielded 5.6 million results (image below).
Filtering for env credentials returned 110,000 results:
And a search for confidential files returned more than 1.6 million results:
Those are just three of the several sensitive data types detected by ODIN’s machine learning-based scanning.
Cloud Storage Bucket Access and Configuration
Exposed cloud storage buckets have only grown in number since Cyble reported more than 500,000 exposed buckets in August 2024.
Managing access to cloud storage buckets can be challenging even for the largest organizations, and misconfigured cloud buckets are all too common. While cloud storage is typically private by default, it can quickly get complicated when you start sharing objects or resources.
Google, for example, recommends taking a Uniform approach, which allows you to use Identity and Access Management (IAM) alone to manage permissions. The Fine-grained approach of combining IAM and Access Control Lists (ACLs) would allow you to specify access on a per-object basis, but because of the need to coordinate between the two different access control systems, there is a bigger risk of unintentional data exposure, and auditing also becomes more complicated. One way to balance access and risk is to use managed folders, which allow fine-grained access to specific groups of objects with a bucket.
Amazon S3 resources are private by default. S3 offers several access management tools, the most common of which is an access policy, which can be set based on resources such as a bucket, or identity through an IAM identity.
Microsoft recommends using Microsoft Entra ID and managed identities to authorize access to Azure Storage.
Detecting Exposed Cloud Storage Files and Buckets
Without a service like Cyble’s Cloud Security Posture Management (CSPM) platform, it can be difficult to detect misconfigurations and exposed cloud storage buckets. While usage logs are one possible option, routine audits of bucket access permissions are a critically important practice.
Data loss prevention (DLP) tools can help you identify where you have sensitive data stored that needs to be protected, and other important cloud storage security practices include object encryption and retention and lifecycle management.
Cyble’s ODIN service can help organizations detect exposed cloud storage buckets and files, and dark web monitoring tools such as those from Cyble can give organizations an early warning when data and credential leaks do occur so they can respond faster and take action to secure accounts and data.
