Dozens of servers containing Weight Watcher’s data were left exposed after the company failed to password protect software used for managing application containers, according to German cybersecurity firm Kromtech.
An Amazon cloud infrastructure used by Weight Watchers was left vulnerable—46 Amazon S3 buckets in total—including logs, passwords, and private encryption keys, Kromtech found.
Weight Watchers denies that any of the data left publicly accessible was sensitive; the Amazon account linked to the exposure was a “testing environment used only to test new services and features,” Weight Watchers said in an email to Gizmodo.
Bleeping Computer first reported the incident on Monday, but said that Weight Watchers had not responded to a request for comment.
“To be able to test innovate securely, we keep test environments completely separate from production environments,” the company told Gizmodo.
Weight Watchers added that its internal team and a third-party forensics company investigated the incident and that “each has independently confirmed that there was no indication that any personally identifiable information was exposed,” a spokesperson said.
A Kromtech spokesperson, however, said the researchers remain skeptical. “We absolutely think it was a production account,” said the firm, which unearthed more than 560 million passwords in an unrelated data breach last year.
The exposure was the result of a misconfigured Kubernetes instance, Kromtech said. Kubernates is a tool developed by Google for managing large numbers of applications. Notably, a Kubernetes instance on Telsa’s cloud infrastructure was hacked earlier this year, and then used by the perpetrators to mine cryptocurrency.
Kromtech did not attempt to access any of the data for legal reasons, and thus was unable to confirm whether any of it was sensitive. The firm said in its report:
“Earlier this month Kromtech Security experts discovered a Kubernetes administration console belonging to WeightWatchers that was accessible over the Internet without any password protection.
“This Kubernetes cluster was found on at least three IP’s with a kubelet port (10250) exposed, allowing access to all pod’s specifications, including the AWS Access key (access key ID and secret access key) and several dozens S3 buckets.”
“We responded immediately to resolve the issue and have implemented safeguards to prevent it from recurring,” Weight Watcher said. “We appreciate the efforts the security community makes to responsibly disclose concerns to improve the state of security on the Internet.”
Got a tip? Email the reporter: firstname.lastname@example.org