A simple error in setting up a Google Drive storage service led to the potential exposure of the personal data of nearly a million people by a Japanese game developer.
Ateam, a company that creates mobile games and content, such as War of Legions, Dark Summoner and Hatsune Miku Tap Wonder, announced earlier this month thatshe discovered a security issue with her Google Drive service on November 21, 2023.
The company said it accidentally set a Google Drive instance to “Anyone on the internet with the link can view the files” since March 2017which means that anyone with the exact URL of the service could access the data stored there.
Also read – Google Drive: your files have disappeared? Don’t panic, there is a solution to this
The data of nearly a million people was viewable by everyone
The Google Drive service contained 1,369 files containing personal information of various people who had some sort of relationship with Ateam, such as customers, business partners, employees, interns, and job applicants. According to Ateam, 935,779 people had their data exposed by this error, including 98.9% of customers. For Ateam Entertainment, a subsidiary of Ateam, 735,710 people were affected.
The type of data exposed varies depending on the individual, but it can include first and last names, email addresses, telephone numbers, customer management numbers or even the identification numbers of the devices used. Ateam said it found no evidence that malicious actors stole or used the exposed data, but did advised users to be careful of suspicious or unsolicited messages they might receive.
This incident is another reminder of the need for businesses to properly secure their cloud services, as a simple configuration error can lead to the exposure of sensitive data.
This is not the first time that misconfiguration of a cloud service has led to data exposure. In fact, this is a very common phenomenon, as many hackers and researchers scour the Internet for this data. If researchers report exposed data to owners or authorities, Some hackers exploit data for malicious purposes, such as extortion, impersonation, fraud, or selling to other hackers.