TLDR: Security researchers discovered a publicly accessible AWS S3 bucket belonging to a Fortune 500 retailer containing sensitive customer data including names, addresses, and partial payment card numbers.
The bucket was exposed for approximately 3 months before being secured. The company has begun notifying affected customers.
Exposed Data:
- Full names and email addresses
- Physical addresses
- Last 4 digits of payment cards
- Purchase history
- Account passwords (hashed, but weak algorithm)