FoxHat logoFoxHat
All articles
Research

Leaky buckets and open databases: cloud misconfiguration by the numbers

Cloud misconfigurations remain one of the top causes of data exposure. From open S3 buckets to unauthenticated MongoDB instances, here's what the 2023-2024 data actually shows.

FoxHat ResearchJuly 8, 2024 6 min read

Despite a decade of AWS best-practice documentation, cloud misconfigurations are still leaking terabytes of sensitive data every year. The problem is not ignorance — it is scale. A single S3 bucket policy typo, an overly permissive IAM role, or a default-exposed database port can put millions of records on the public internet before anyone notices.

21%of error-related breaches caused by misconfigurationSource: Verizon DBIR 2023
74%of all breaches include the human elementSource: Verizon DBIR 2023
1,304software packages affected by supply-chain misconfig attacks in 2024Source: Statista / Sonatype 2024

The anatomy of a typical leak

Most cloud data leaks follow a depressingly similar pattern. A developer spins up a storage bucket for a prototype, sets it to public-read for convenience, and forgets about it. Six months later the bucket contains production backups, log files with session tokens, and customer PII. An attacker running automated scans on Shodan or Censys finds the bucket, downloads the data, and either sells it or uses it for follow-on attacks.

Common misconfiguration types in the wild

  • S3 buckets with public-read or public-read-write ACLs
  • Unauthenticated MongoDB, Elasticsearch, or Redis instances exposed to 0.0.0.0/0
  • Overly permissive IAM policies attached to compute instances
  • Default admin credentials left on managed databases or Kubernetes dashboards
  • Publicly accessible EBS snapshots or RDS database backups
  • Cloudfront or CDN origins that bypass origin-access-identity protections

Why detection is harder than it looks

Cloud security posture management (CSPM) tools catch many misconfigurations, but they operate inside the account boundary. They cannot see what an external attacker sees: a bucket that looks private from the IAM console but is accessible via a presigned URL posted to a public forum, or a database whose security group blocks most IPs but whitelists a compromised partner's entire /16. External reconnaissance — looking at your cloud footprint the way an attacker does — is the only way to find the gaps CSPM misses.

The takeaway is simple: cloud misconfiguration is not a solved problem, and the cost of each leak is rising with stricter breach-notification laws. Continuous external asset scanning that maps every exposed storage bucket, database port, and subdomain to your organization is now table stakes.

Breaches due to misconfiguration accounted for 21% of error-related breaches.
ICO retrospective review citing Verizon DBIR 2023

See your exposure surface in 60 seconds

FoxHat continuously hunts your exposed repositories, assets, credentials, and secrets across the open and dark web.

Start free scan

Keep reading

Research

12.8 million secrets leaked on GitHub in 2023 — what the data tells us

Incident analysis

Five years, one GitHub key: the Toyota T-Connect leak in detail