reddoorz.com

[ramimac]

https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Commissions-Decisions/Decision---Commeasure-Pte-Ltd---15092021.pdf?la=en

Investigations revealed that the unknown threat actor(s) had most likely gained access and exfiltrated the Organisation’s database of customer records hosted in an Amazon RDS cloud database, after they obtained an Amazon Web Services (“AWS”) access key. The AWS 3 access key was embedded within an Android application package (“the affected APK”) publicly available for download from the Google Play Store. 4 This affected APK was created sometime in 2015, when the Organisation was still a start-up, and was last updated in January 2018. Even though the AWS access key had access to a “live” or production database, the AWS access key was embedded in the APK, and erroneously marked as a “test” key by the then-developers. With the exception of one of the Organisation’s co-founders and Chief Technology Officer, all the developers have since left the Organisation. Most unfortunately, even though the Organisation regarded this APK as “defunct”, the APK remained publicly available for download on the Google Play Store until the Organisation became aware of the Incident and removed the affected APK