Published on: December 11, 2024
WotNot, an Indian AI startup has exposed nearly 350,000 sensitive files after failing to secure its data online.
Based in Ahmedabad, the company, which specializes in helping businesses create custom chatbots used by companies like Merck and Amneal Pharmaceuticals, left a large amount of personal information unprotected in a misconfigured Google Cloud Storage bucket.
The exposed files, which were discovered in late August and finally secured in November, included passport scans, identity documents, medical records, resumes, travel itineraries, and more.
WotNot confirmed the bucket stored files uploaded by users interacting with the chatbot.
“It also stores non-sensitive content such as images, brochures, and other marketing materials that do not contain any personally identifiable information. That said, we typically recommend that our customers delete such files from the server after they have been received and forwarded to their own systems,” the company said.
The most alarming part about the Google Cloud Storage bucket is that it was accessible to anyone on the internet without any form of authorization, like password protection. This is particularly shocking considering the stored files can easily be used by cybercriminals to commit identity theft and all sorts of scams.
According to Cybernews, WotNot received the first of multiple emails about the issue in September, and the company only addressed the breach 2 months later.
When WotNot finally responded to questions surrounding the incident, it said the exposed bucket was used by free-tier users.
“The cause for the breach was that the cloud storage bucket policies were modified to accommodate a specific use case. However, we regretfully missed thoroughly verifying its accessibility, which inadvertently left the data exposed,” Wotnot said in a statement. “We regretfully missed thoroughly verifying its accessibility, which inadvertently left the data exposed. … We are taking this incident seriously and will further strengthen our security measures to ensure such issues do not occur in the future.”
In an effort to reassure its enterprise clients, WotNot emphasized that they weren’t affected by the leak, stating, “For enterprise customers, we provide private instances to ensure security and compliance standards are strictly adhered to.”