Skip to content
πŸ”“ Yet Another S3 Bucket Leak
Branch: master
Clone or download
Latest commit e8d498f Aug 16, 2018
Type Name Latest commit message Commit time
Failed to load latest commit information.
docs Minor May 31, 2018
.gitignore Update pages Jan 4, 2018 Add contribution instructions Oct 11, 2017
Dockerfile Minor Dockerfile update Oct 16, 2017
LICENSE Create LICENSE Sep 28, 2017
Makefile rename html file Oct 18, 2017 Minor May 31, 2018
yas3bl.json Add godaddy. Closes #5 Aug 16, 2018

YAS3BL (Yet Another S3 Bucket Leak)

πŸ”“ Enumerating all the AWS S3 bucket leaks that have been discovered to date.

Company Link Records Exposed Data

211 LA County

πŸ”— 3.2 million Files include access credentials for 211 system operators, email addresses for contacts and registered resources of LA County 211, and detailed call notes, including full names, phone numbers, addresses, and even 33,000 instances of full Social Security numbers.


πŸ”— 137+ GB 4 S3 buckets exposing secret API data, authentication credentials, 40,000 plaintext passwords, credentials for GCP and Azure accounts, SSL certificates, private decryption keys, production VPN keys for internal/private networks, database dumps, user IP addresses, JSESSION IDs.


πŸ”— Names, addresses, dates of birth, phone numbers, income ranges, social security numbers (SSNs), driver licenses, armed forces and voter identification cards, bank checks, insurance policy documents, health and medical information (e.g. prescriptions and dosages), and some financial data. Insurance companies found in the data included Cigna, TransAmerica, SafeCo, Schneider Insurance, Manhattan Life, Everest - to name a few.

Alliance Direct Lending Corporation

πŸ”— 1 million Names, addresses, credit scores and partial Social Security numbers


πŸ”— 123 million Data sets belonging to Experian and US Census Bureau, containing personal details of 198 million American voters and 123 million American household PII data such as home addresses, contact information, morgage ownership, financial histories, and purchasing behaviors.

Australian Broadcasting Company

πŸ”— 50,000 Personal data of Australian employees of several government agencies, banks, and a utility company, including full names, passwords, IDs, phone numbers, email addresses, credit card numbers, salaries and expenses.

Booz Allen Hamilton

πŸ”— Undisclosed Top Secret data from DoD, Pentagon, and National Geospatial Intelligence Agency (NGA), SSH keys, credentials granting access to data center Operating System

DeepRoot Analytics

πŸ”— 200 million 1.1 Terabytes worth of data on registered voters

Department of Defense

πŸ”— 1.8 billion Three (3) S3 buckets containing 1.8 billion posts of scraped internet content over the last 8 years.

Dow Jones

πŸ”— 2.2 - 4 million Names, addresses, account information, email addresses, and last four digits of credit card numbers of millions of subscribers to Dow Jones publications


πŸ”— 1.8 million Chicago voter names, addresses, date-of-births, partial SSNs, Driver Licenses, and state ID numbers


πŸ”— 119,000 Scanned documents of US and international citizens, such as passports, driver licenses, security IDs, home addresses, phone numbers, zip codes


πŸ”— 38,000 Credit Card numbers, expiration dates, CVV codes


πŸ”— 50,000 Names, phone numbers and email addresses for users and their trusted contacts, passwords, gender, information about their cars including VIN, Connect IDs.

MBM Company Inc.

πŸ”— 1.3 million Names, addresses, zip codes, phone numbers, email addresses, ip addresses, plaintext passwords

Mexico's Electoral Authority (INE)

πŸ”— 93.4 million Mexican voter registration data

National Credit Federation

πŸ”— 111 GB Internal personal and financial data of tens of thousands of customers.


πŸ”— 47 files Highly sensitive INSCOM data. Some data was 'NOFORN' classified, indicating high sensitivity that cannot be shared with foreign allies


πŸ”— 12,000 A database backup, called octoly_production.sql, exposed real names, addresses, phone numbers, email addresses, birth dates of thousands of influential online personalities (Instagram, Twitter, and YouTube personalities), like Dior, Lancome, and Blizzard Entertainment

Patient Home Monitoring

πŸ”— 316,363 47.5 GB PDF medical records containing weekly blood test results, patient names, addresses, and phone numbers. Development server backups. Doctor's names, case management notes, and additional client information.

SVR Tracking

πŸ”— 540,642 Tracking unit information including usernames, passwords, emails, Vehicle Identification Numbers, license plate numbers, IMEI numbers of GPS devices, specific location where the tracking units were hidden, information on customers and 427 dealerships, 116 GB of hourly backups, 8.5 GB of daily backups from 2017, and 339 log documents


πŸ”— 9,402 Resumes of Top Secret US military veterans names, addresses, phones, emails, Driver License numbers, passport numbers, partial SSNs

Time Warner/BroadSoft

πŸ”— 4 million 600 GB worth of data including usernames, emails addresses, MAC addresses, device serial numbers, and financial transaction information


πŸ”— 14 million Verizon customer names, addresses, account details, and Personal Identification Numbers (PIN)


πŸ”— 100 MB Data from internal Verizon Wireless system (DVS), 129 Outlook messages, logs, server names & info, admin usernames & passwords


πŸ”— 72 files Encrypted compressed archives containing backup of company's IT infrastructure and private GPG keys used to encrypt the compressed archives


πŸ”— 3,065,805 Fans names, physical addresses, email addresses, earnings, ethnicity, children’s age ranges, birthdates and additional personally identifiable information
You can’t perform that action at this time.