← All case studies
Startup

Public AWS S3 Bucket Exposed Customer Data Pre-Launch

SeverityCRITICAL
IndustryStartup
FindingCustomer export files in S3 bucket publicly accessible — discovered 4 hours into automated cloud scan
MethodManual + automated penetration testing
OutcomePotential data breach of 847 customer data files (2.3GB) avoided 6 days before product launch. If discovered by a threat actor or reported via data breach notification, the company faced regulatory exposure under PDPB and reputational damage before their first customer had even onboarded. Remediated in 30 minutes.
The finding
Customer export files in S3 bucket publicly accessible — discovered 4 hours into automated cloud scan

Technical detail

During a pre-launch cloud security assessment for a B2B SaaS startup, ThreatRiX's automated S3 enumeration identified a bucket named [company]-customer-exports with public read access enabled.

The bucket contained 847 CSV files — customer data exports including names, email addresses, company information, and subscription details — totalling 2.3GB. The files were indexed by public search engines.

The bucket had been created by a developer for a temporary data migration and the public access block was never re-enabled. CVSS Score: 9.1 (Critical).

Business impact & resolution
Potential data breach of 847 customer data files (2.3GB) avoided 6 days before product launch. If discovered by a threat actor or reported via data breach notification, the company faced regulatory exposure under PDPB and reputational damage before their first customer had even onboarded. Remediated in 30 minutes.

Remediation

Immediate: public access block enabled on the bucket, files moved to private storage. Audit: all 23 S3 buckets reviewed for public access settings. Process: S3 bucket public access block now enforced at the AWS account level — no individual bucket can be made public without explicit override approval. ThreatRiX added S3 public access scanning to the ongoing Growth plan.

Could this happen to your application?

Run a free scan on your domain — see what ThreatRiX finds in 60 seconds.