What Happened
Cybernews researchers found that AI chatbot vendor WotNot had left a misconfigured Google Cloud Storage bucket open to the internet with no password. The 346,381 exposed files included passport and national ID scans, medical records, resumes, and travel documents belonging to free-tier customers' end users. WotNot said the bucket policy had been changed for a specific use case and that it failed to verify the resulting public accessibility.
Impact
The trove gave anyone on the internet a ready-made kit for identity theft, medical fraud, and other scams. The company took more than two months to close the hole after researchers first reached out.
How to Prevent This
- Default cloud storage buckets to private and block public access at the org policy level
- Verify accessibility after any bucket-policy change with automated checks
- Encrypt sensitive documents and apply least-privilege access controls
- Monitor for publicly exposed storage using continuous cloud-posture scanning
- Maintain a monitored security contact so disclosures are actioned quickly