Thousands of domestic violence victims have had their emergency distress messages exposed after a developer misconfigured a back-end AWS bucket.
Researchers at vpnMentor led by Noam Rotem and Ran Locar found the voice recordings stored on a publicly accessible AWS S3 bucket.
They were traced back to Aspire News, an application built by US non-profit When Georgia Smiled, which features an emergency help section via which domestic abuse victims can send their distress messages. It’s backed by US TV celebrity and clinical psychologist Dr Phil.
In total, the researchers found around 230MB of data, containing around 4000 voice recordings dating back to September 2017. Fortunately, once contacted, AWS informed the non-profit and the issue was shut down the same day.
However, the data exposed in the voice recordings was highly sensitive, including victims’ full names and home addresses, details of their circumstances and their abusers’ names and personal details.
Domestic violence cases are said to have surged dramatically during lockdown, when abusers are often confined at home with their victims for extended periods.
“Had malicious or criminal hackers accessed these recordings, they could be weaponized against both victims and abusers to pursue blackmail and extortion campaigns,” said vpnMentor.