Cyble’s ODIN vulnerability search tool has detected more than 200 billion exposed files in cloud buckets across seven major cloud providers. 

The 200 billion exposed files reflect the sheer scale of accidental data exposure on the internet, data that’s often left publicly accessible due to misconfigurations. The files include data ranging from documents and credentials to source code and internal backups. 

The ODIN platform scans cloud buckets at scale and classifies exposed content using machine learning-based detection. ODIN has also detected more than 660,000 exposed buckets, in addition to more than 91 million exposed hosts. 

Cyble monitors and classifies these datasets to help organizations reduce their attack surface. 

Exposed Credentials, Source Code and Confidential Files 

Filtering the ODIN data for just three sensitive data types yielded millions of credentials, source code and confidential files (images below; URLs and identifying information redacted). 

Filtering for “source code” and the Go language, for example, yielded 5.6 million results (image below). 

Filtering for env credentials returned 110,000 results: 

And a search for confidential files returned more than 1.6 million results: 

Those are just three of the several sensitive data types detected by ODIN’s machine learning-based scanning. 

Cloud Storage Bucket Access and Configuration 

Exposed cloud storage buckets have only grown in number since Cyble reported more than 500,000 exposed buckets in August 2024. 

Managing access to cloud storage buckets can be challenging even for the largest organizations, and misconfigured cloud buckets are all too common. While cloud storage is typically private by default, it can quickly get complicated when you start sharing objects or resources. 

Google, for example, recommends taking a Uniform approach, which allows you to use Identity and Access Management (IAM) alone to manage permissions. The Fine-grained approach of combining IAM and Access Control Lists (ACLs) would allow you to specify access on a per-object basis, but because of the need to coordinate between the two different access control systems, there is a bigger risk of unintentional data exposure, and auditing also becomes more complicated. One way to balance access and risk is to use managed folders, which allow fine-grained access to specific groups of objects with a bucket. 

Amazon S3 resources are private by default. S3 offers several access management tools, the most common of which is an access policy, which can be set based on resources such as a bucket, or identity through an IAM identity. 

Microsoft recommends using Microsoft Entra ID and managed identities to authorize access to Azure Storage. 

Detecting Exposed Cloud Storage Files and Buckets 

Without a service like Cyble’s Cloud Security Posture Management (CSPM) platform, it can be difficult to detect misconfigurations and exposed cloud storage buckets. While usage logs are one possible option, routine audits of bucket access permissions are a critically important practice. 

Data loss prevention (DLP) tools can help you identify where you have sensitive data stored that needs to be protected, and other important cloud storage security practices include object encryption and retention and lifecycle management. 

Cyble’s ODIN service can help organizations detect exposed cloud storage buckets and files, and dark web monitoring tools such as those from Cyble can give organizations an early warning when data and credential leaks do occur so they can respond faster and take action to secure accounts and data. 

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.