A misconfiguration in the Google Drive of an Android game developer underscores the cloud security risks associated with Android game development

Japanese game developer Ateam’s misconfigured Google Drive has led to the potential exposure of sensitive information for nearly one million people over a period of six years and eight months. The data exposed due to this misconfiguration includes full names, email addresses, phone numbers, customer management numbers, and terminal (device) identification numbers. This incident highlights the importance of properly securing cloud services to prevent such exposures. The company has not found any concrete evidence of threat actors having stolen the exposed data. This serves as a reminder for companies to ensure the security of their cloud services to protect sensitive information. The incident underscores the significance of robust cloud security measures to safeguard against potential data breaches and unauthorized access.

The incident also emphasizes the need for robust cloud security measures, especially for companies dealing with sensitive customer data. It serves as a reminder for organizations to review and enhance their cloud security configurations to prevent potential data exposures and security risks.

This incident is a cautionary tale for the industry, highlighting the potential consequences of inadequate cloud security measures. It underscores the importance of implementing robust security protocols and regularly reviewing and updating cloud configurations to mitigate the risk of data exposure and unauthorized access.

The Google Play Protect service by Google for Android apps is an example of the rigorous security testing that apps undergo before appearing in the Google Play Store. This service scans billions of apps daily to ensure their security and protect users from potential threats.

The Play Protect service also categorizes and flags apps, binaries, or framework modifications that pose a risk to Android devices and users as Potentially Harmful Applications (PHAs). This demonstrates the comprehensive security measures in place to protect Android users from malicious behaviors and potential risks.

In summary, the misconfiguration of Ateam’s Google Drive highlights the critical importance of robust cloud security measures to prevent potential data exposures and security risks. It serves as a reminder for companies to prioritize the security of their cloud services and implement thorough security protocols to safeguard sensitive information. Additionally, the Google Play Protect service exemplifies the rigorous security testing and measures in place to protect Android users from potential threats and malicious behaviors.

What is the google drive configuration mistake that led to the security risk

The Google Drive configuration mistake that led to the security risk in the case of Japanese game developer Ateam can be summarized as follows:

  • Misconfigured cloud storage instance: Ateam incorrectly set a Google Drive cloud storage instance to “Anyone on the internet with the link can view” since March 2017, which allowed anyone with the link to access and download the files.
  • Inadvertent or malicious sharing: An employee with access to the company’s Google Drive publicly shared a link, which could have been catastrophic for the affected users.
  • Exposed personal information: The misconfigured Google Drive instance contained 1,369 files with personal information on Ateam business partners, former and current employees, interns, and people who applied for a position at the company.
  • Lack of proper access control: Google Drive lacks a cohesive organizational permission system, which can lead to mistakes in access control and configuration, potentially exposing sensitive data.

This incident highlights the importance of proper cloud security configurations, access control, and incident management to protect sensitive data from potential exposure and unauthorized access.

What steps did ateam take to address the security risk

After discovering the Google Drive security risk, Japanese game developer Ateam took several steps to address the issue:

  1. Identifying the affected files: Ateam identified 1,369 files containing personal information of customers, business partners, employees, and others that were exposed due to the misconfigured Google Drive.
  2. Notifying affected parties: The company began contacting affected individuals on December 20, 2023, to inform them about the potential exposure of their data.
  3. Strengthening monitoring: Ateam announced that it would strengthen monitoring through security tools to prevent similar incidents in the future.
  4. Reviewing file-sharing settings and permissions: The company planned to review file-sharing settings and permissions to ensure proper access control and prevent unauthorized access to sensitive information.
  5. Increasing awareness: Ateam committed to raising awareness among its employees about the importance of proper cloud security configurations and the risks associated with inadvertent or malicious sharing of sensitive data.

These steps demonstrate Ateam’s acknowledgment of the security risk and their commitment to taking necessary measures to protect the sensitive information of their users and partners.

How can individuals protect themselves from similar security risks

Individuals can take several steps to protect themselves from similar security risks:

  1. Use strong passwords: Individuals should use strong and unique passwords for each account, with a minimum of eight characters, a mix of uppercase and lowercase letters, numbers, and symbols. Passwords should not be easy to guess, such as the user’s name or the name of the company.
  2. Enable multi-factor authentication: Multi-factor authentication adds an extra layer of security to accounts. If a service offers multi-factor authentication, individuals should use it.
  3. Be cautious of suspicious links, attachments, and downloads: Malware and ransomware can be embedded in links, attachments, and downloads. Individuals should make sure a link is authentic before clicking on it.
  4. Encrypt sensitive data and create backups: Individuals should ensure that all sensitive data is encrypted and create backups to protect against data loss.
  5. Stay informed and educated: Individuals should stay informed about the latest security threats and educate themselves on how to protect their personal information and devices.

These steps can help individuals reduce their risk of falling victim to security threats and protect their personal information and devices.

Secure your cloud services

Setting Google Drive to “Anyone with the link can view” restricts access to those with the exact URL, typically intended for collaborative efforts involving non-sensitive data. However, if an employee or any individual with the link inadvertently exposes it publicly, there is a risk of search engines indexing it, resulting in widespread accessibility.

While the likelihood of someone independently discovering an exposed Google Drive URL is low, this notification underscores the imperative for companies to implement robust security measures to prevent inadvertent data exposure in their cloud services. Ensuring the proper configuration and access controls is crucial in maintaining the confidentiality of sensitive information.

It is not uncommon for threat actors and researchers to identify exposed cloud services, including databases and storage buckets, and subsequently retrieve the data within them. While researchers typically responsibly disclose such findings, the same cannot be guaranteed if malicious actors uncover the exposed data, leading to potential exploitation, extortion, or sale on the black market for use in various cyber attacks.

Illustrating the significance of these concerns, in 2017, security researcher Chris Vickery discovered misconfigured Amazon S3 buckets exposing databases with 1.8 billion social and forum posts globally. Subsequently, another misconfigured S3 bucket was found to expose what seemed to be classified information from INSCOM. While these breaches were responsibly disclosed, other instances of cloud service misconfigurations have resulted in data leaks or sales on hacker forums.

Recognizing the growing prevalence of misconfigured Amazon S3 buckets, researchers have developed tools to actively scan for exposed buckets, highlighting the urgency for proactive measures in securing cloud services. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also issued guidance to companies, providing recommendations on how to appropriately secure their cloud services against potential threats and vulnerabilities.

Sources:
https://www.softactivity.com/ideas/protect-against-common-security-threats/
https://www.upguard.com/blog/reduce-cybersecurity-risk
https://www.eccouncil.org/cybersecurity-exchange/network-security/how-to-prevent-network-security-attacks/
https://dfi.wa.gov/consumers/cyber-attacks-tips
https://cybriant.com/10-ways-to-reduce-your-organizations-network-security-risk/
https://www.techradar.com/pro/security/this-company-made-a-significant-google-drive-security-error-that-could-put-a-million-users-at-risk
https://courses.csail.mit.edu/6.857/2018/project/Onsongo-Sanabria-Comas-Herold-Steam.pdf
https://www.newsbreak.com/news/3282284616316-android-game-dev-s-google-drive-misconfig-highlights-cloud-security-risks
https://www.forbes.com/sites/daveywinder/2019/08/09/critical-steam-security-warning-issued-for-72-million-windows-10-gamers/?sh=e0b986a35e1b
https://managedmethods.com/blog/google-drive-security-is-your-student-data-safe-in-the-cloud/
https://twitter.com/BleepinComputer/status/1741476852999332101
https://www.bleepingcomputer.com/news/security/android-game-devs-google-drive-misconfig-highlights-cloud-security-risks/
https://developers.google.com/android/play-protect