The Elasticsearch database — named “Sauron” (make of that what you will) — contained about 215 million entries of pseudonymized viewing data, such as the name of the show or movie that is being streamed, what device it was streamed on, and other internal data, like the network quality and details about their subscription, such as if they are a Amazon Prime customer.

While disconcerting that a company of Amazon’s size and wealth could leave such a huge cache of data on the internet for weeks without anyone noticing, based on our review, the data cannot be used to personally identify customers by name. But the lapse highlights a common problem that underpins many data exposures — misconfigured internet-facing servers that are left online without a password for anyone to access.

Sen provided details of the database in an effort to get the data secured, and TechCrunch passed the information to Amazon out of an abundance of caution. The database was inaccessible a short time later.

“There was a deployment error with a Prime Video analytics server. This problem has been resolved and no account information (including login or payment details) were exposed. This was not an AWS issue; AWS is secure by default and performed as designed,” said Amazon spokesperson Adam Montgomery.

Amazon accidentally exposed an internal server packed with Prime Video viewing habits by Zack Whittaker originally published on TechCrunch

source