A few hours ago (November 18, 2019) I was informed of a data leak from a misconfigured Amazon S3 bucket by a security researcher at Upguard. That means the file reports we email to users and were housed on Amazon S3 were publicly exposed and readable by anyone with the link. The files contain email addresses and their validation statuses with timestamps of when they were verified. It is unknown if anyone outside of the researcher accessed these files. No passwords, names, company information, or other personally identifiable information were exposed. The leak has since been secured and confirmed by the researcher.
We’ve disabled file uploading to Amazon S3 and purged all files from S3.
I feel awful and I’m really sorry for this and any inconvenience this may have caused. I’ve personally let everyone down and this should have never happened. I will work harder to ensure our systems, processes, and 3rd party cloud vendors are more secure.