Android Game Developer’s Google Drive Blunder Exposes Critical Cloud Security Vulnerabilities

Imagine this: you’re working on a group project, and you decide to use Google Drive to share and collaborate on the files. It’s convenient, efficient, and, most importantly, secure. Or at least, that’s what you thought. What if I told you that a simple configuration mistake could accidentally expose sensitive information to the entire internet? That’s exactly what happened to Japanese game developer Ateam, and it affected nearly one million people over a period of six years and eight months.

Ateam is a mobile games and content creator with multiple games on Google Play, such as War of Legions, Dark Summoner, Hatsune Miku – Tap Wonder, and tools like Memory Clear | Game Boost Master, and Good Night’s Sleep Alarm. Earlier this month, the company informed users of its apps and services, employees, and business partners that it had made a critical mistake. Since March 2017, a Google Drive cloud storage instance was incorrectly set to “Anyone on the internet with the link can view.”

This insecure configuration affected 1,369 files containing personal information on Ateam customers, business partners, former and current employees, and even interns and job applicants. In total, 935,779 individuals had their data exposed, with 98.9% being customers. For Ateam Entertainment specifically, 735,710 people have been exposed.

The exposed data varies depending on the individual’s relationship with the company and may include full names, email addresses, phone numbers, customer management numbers, and terminal (device) identification numbers. Ateam has confirmed that there’s no concrete evidence of threat actors having stolen the exposed information, but they are urging people to remain vigilant for unsolicited and suspicious communications.

Don’t let this happen to you: Secure your cloud services

Setting Google Drive to “Anyone with the link can view” is typically reserved for collaboration between people working with non-sensitive data. It makes the files viewable only to those with the exact URL. However, if an employee or someone else with the link mistakenly exposes it publicly, it could get indexed by search engines and become broadly accessible.

While it’s unlikely that anyone would stumble upon an exposed Google Drive URL on their own, Ateam’s situation highlights the importance of properly securing cloud services to prevent data from being mistakenly exposed. Threat actors and researchers frequently find exposed cloud services, such as databases and storage buckets, and download the data contained in them.

Researchers usually responsibly disclose the exposed data, but if threat actors find it first, it can lead to bigger problems as they use it to extort companies or sell it to other hackers to use in their own attacks. In the past, misconfigured Amazon S3 buckets have exposed databases containing 1.8 billion social and forum posts made by users worldwide. Another misconfigured S3 bucket exposed what appeared to be classified information from INSCOM.

These breaches have become a significant problem, leading researchers to develop tools that scan for exposed buckets. The US Cybersecurity and Infrastructure Security Agency (CISA) has also released guidance on how to properly secure cloud services.

Don’t let your company become the next headline for a security mishap. Take the time to review your cloud service configurations and ensure that sensitive data is protected. And while you’re at it, why not keep coming back to learn more about cybersecurity best practices? Stay informed and stay safe.