FormGet exposed company documents and customer data due to unsecured AWS S3 storage bucket

• The unprotected Amazon S3 storage bucket exposed several internal documents, customer-uploaded data, invoices, receipts, resumes, and more.
• It also included several scanned documents such as passports, pay checks, Social Security numbers, driver’s licenses, and national identity cards, among others.

A security researcher discovered an unprotected Amazon S3 storage bucket belonging to FormGet, that exposed several internal documents, customer-uploaded data, invoices, receipts, resumes and more.

FormGet is an online form-maker and an email marketing company that has over 43000 clients across the globe.

What was exposed?

The storage bucket contained several corporate documents and user-uploaded documents. The exposed documents include:

• Several internal corporate documents including cybersecurity assessment summaries for various banks labeled “confidential” and for “internal use only”.
• Documents related to loans and mortgages including amounts, interest rates, and histories, bank account statements, gas bills, military discharge from active duty forms and other similar proof of residency.
• Scanned documents such as passports, pay checks, Social Security numbers, driver’s licenses, and national identity cards, among others.
• UPS shipping labels including names, phone numbers, and the shipping contents.
• Several invoices from Google and Zoom which included names, addresses, and partial credit card numbers.
• Airline and hotel booking receipts.
• Letters from Veterans Affairs certifying former veterans of service-connected disability compensation, and
• Resumes.

What actions were taken?

The security researcher who discovered the leaky server notified TechCrunch in order to get the server secured. TechCrunch reported the data leak to FormGet, which immediately responded by taking down the bucket and disabling access to the public.