The Japanese company Ateam, known for making mobile games and content, recently showed how a simple mistake with Google Drive settings could potentially expose sensitive information to almost one million people over six years and eight months.
Ateam creates games like War of Legions, Dark Summoner, Hatsune Miku – Tap Wonder, and tools such as Memory Clear | Game Boost Master and Good Night’s Sleep Alarm, which are available on Google Play.
In November 2023, Ateam discovered that since March 2017, they had set up a Google Drive storage in a way that allowed anyone on the internet with the link to view its contents. They informed their app and service users, employees, and business partners about this mistake.
Inside this improperly configured Google Drive, there were 1,369 files containing personal information about Ateam customers, business partners, current and former employees, as well as interns and job applicants.
Ateam has confirmed that a total of 935,779 individuals had their data exposed, with nearly 99% of them being customers. Specifically, for Ateam Entertainment, 735,710 people had their information exposed.
The type of data exposed depends on the individual’s relationship with the company and may include various pieces of information.
Full names
Email addresses
Phone numbers
Customer management numbers
Terminal (device) identification numbers
The company says it has seen no concrete evidence of threat actors having stolen the exposed information but urges people to remain vigilant for unsolicited and suspicious communications.
Secure your cloud services
When you use Google Drive and set it to “Anyone with the link can view,” it means only people who have the exact web link can see what’s inside. Usually, this is used when people want to share things with others, like work or projects that aren’t secret.
But if someone, like an employee, accidentally makes this link public, it can end up showing on search engines, and anyone can get in.
Although it’s not very likely that someone just stumbles upon an exposed Google Drive link by accident, this situation reminds us that companies need to make sure their cloud services are secure. This helps prevent important information from being seen by the wrong people.
It’s quite common for both bad actors and researchers to find these exposed cloud services, like databases and storage spaces, and take the information they hold.
Usually, researchers do the right thing and report the problem. But when bad actors find this data, it can lead to bigger issues. They might try to force companies to do things they don’t want to do or sell the data to other hackers who might use it for their own bad purposes.
In 2017, a security researcher named Chris Vickery found some mistakes in Amazon’s storage buckets. These buckets had databases with 1.8 billion social media and forum posts from people all around the world.
Just ten days later, the same researcher found another mistake, this time with what seemed like secret information from INSCOM.
Although these mistakes were reported properly, other times, data from cloud services that aren’t set up right gets leaked or sold on places where hackers hang out.
Mistakes like these with Amazon S3 storage buckets have become such a problem that researchers made tools to check if these buckets are exposed. And the U.S. Cybersecurity and Infrastructure Security Agency (CISA) even gave advice to companies on how to keep their cloud services safe.
