Read as
Last updated: April 29, 2026
Public S3, open GCS, anonymous Azure Blob. Continues in 2026 despite a decade of awareness.
Public S3 buckets, open Google Cloud Storage, anonymous Azure Blob containers — data exposure via cloud object stores is the most-documented cloud breach class. The mechanism: customer flagged the storage as public (often accidentally or historically); data inside is sensitive; internet-facing enumeration finds it; leak.
Why this keeps happening
- Multiple ways to make storage public. AWS S3: bucket ACL, bucket policy, object ACL, individual object grants, “allUsers” in IAM — each independent setting can grant public access.
- Defaults changed over time. S3 pre-2018 allowed public by default; changed, but old buckets inherited old defaults.
- “Temporary” public sharing becomes permanent. File needs external sharing for one meeting; public flag set; never unset.
- Developer intentionally public. “It’s just test data” — turns out to be customer PII accidentally mixed in.
- Misunderstanding of scope. “Only people with link can access” — but link gets posted to GitHub → indexed.
Want this for your team?
Custom team training + practitioner advisory
Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.
Book team training call
Replies in 4 working hrs · India-only · Senior consultants