Internet Service Provider Pocket iNet exposed 73GB of corporate information online, including AWS secret keys and internal data.
Cybersecurity firm UpGuard revealed on Tuesday that the data leak was caused by a misconfigured Amazon S3 storage bucket which permitted the access and download of information without the need for authorization.
Washington-based Pocket iNet offers customers a broadband Internet service, video streaming, and smart, connected home solutions.
The company claims to "makes use of bleeding edge and emerging technologies such as native IPv6, Carrier Ethernet, and local fiber."
However, the ISP may need to focus more on security given this lapse. According to UpGuard, among the data exposed was passwords stored in plain text, AWS secret keys for Pocket iNet employees, network diagrams, configuration settings, and inventory lists.
The lists of passwords were mainly named "root" or "admin," which implies these accounts may have been given high-level privileges and permissions. In the hands of an attacker, such credentials could have spelled disaster for the ISP and its infrastructure.
"Exposing files like this offers up the keys to the kingdom, but in truth, such files should not exist in any form," UpGuard noted. "Documents containing long lists of administrative passwords may be convenient for operations, but they create single points of total risk, where the compromise of one document can have severe and extensive effects throughout the entire business."
In addition, Pocket iNet's leaky server revealed photographs of the firm's equipment, which the researchers say included "routers, cabling, and towers."
A list of "priority customers" was also included in the leak, which named Lockheed Martin, Toyota, the Richland School District, and the Lourdes Medical Center, among other organizations.
UpGuard discovered the security failure on October 11, in which a publicly exposed bucket called "pinapp2" was shown to belong to the ISP -- as well as 73GB of data. However, some of the bucket was restricted and the information contained within was not downloadable.
While the ISP was notified on the same day via phone and email, UpGuard says it was a week before the bucket was secured.
TechRepublic: How RATs infect computers with malicious software
"Due to the severity of this exposure, UpGuard expended significant effort during those seven days, repeatedly contacting Pocket iNet and relevant regulators, including using contact information found within the exposed dataset," the researchers say. "Internet service providers have been designated as part of the US Critical Infrastructure and represent a prime target for adverse nation-state threat groups."
UpGuard has found a number of leaky, online-facing servers throughout the past few years, one of the last being a GoDaddy Amazon S3 bucket.
The bucket was created by an AWS salesperson to store prospective AWS pricing scenarios and GoDaddy said the exposed information was only related to speculative models. No customer data was exposed.
Update 15.07 BST: A Pocket iNet spokesperson told ZDNet:
"Unfortunately, a single folder of PocketiNet's network operation historical data (non-customer) was publicly accessible to Amazon administrative users (non-public). Most of this data was out of date and was documentation in nature on the network. It has since been secured.
We appreciate being alerted to this error. PocketiNet is currently conducting a comprehensive network review to guarantee no additional data is compromised. We have also begun a complete analysis of operating procedures to ensure no future errors occur.
No personal or financial customer data was accessible.
We are humbled by this experience. We are resolute in our corrective course."