A Mastodon user who searches the cloud for open S3 buckets and reports them claims he found the data on March 19 and attempted to alert the company to the breach.

S3 buckets are a storage unit on Amazon Web Service that act as a container for objects such as files and metadata.

Information stored in the buckets can be found by scripts and other tools when the buckets are left open without protection, making people vulnerable to a security risk, according to BlueXP.

A Mastodon user, who goes by the username bucketchallenge, claimed he found an opened S3 bucket more than a week ago.

The user said they told the company about their find but assumed it was the work of a subcontractor.

“It spills a lot of jucy (sic) customer data including names, addresses and email IDs,” the post stated.

“I kindly asked for updates, otherwise I’ll escalate that bucket to other agencies to make it go offline.”

In a separate post six days later, another Mastodon user Martin Seegar asked if anyone had contacts at Nine’s newspapers because they were leaking personal identifiable information, before the matter was resolved.

Mr Seegar said he was asked to get involved because of the nature and amount of data involved in the leak, after other researchers attempted to contact the company but got no reply.

“Our experience says that usually this is inexperience, negligence and laziness,” he said.

“The default setup from Amazon AWS is safe if you make it open by hand, AWS gives you visible warnings, but if you do it via automation and copy and paste code form StackExchange or ChatGPT, no warning occurs.

“Sometimes the config is so bad, that anyone can write into that bucket (not in this case) and manipulate the data.

“’This is a f..king epidemic,’ if the researchers had a full time stuff of ten people, they would still be unable to keep up with what they find. But they do it in their spare time as ‘civic duty.’”

A Nine spokesman said they were made aware by a security researcher that certain personal information held by a third party supplier was not protected to the level of the company’s strict internal data protocols after an unauthorised change.

The spokesman said they were contacting 16,000 print subscribers of the The Sydney Morning Herald, The Age and The Australian Financial Review who were affected.

“The customer personal information that was held by the provider was limited to name, postal address and/or email address.

“The data did not include credit card details or passwords.

“While there has been no breach of Nine’s internal technology infrastructure, Nine treated this matter seriously and worked with the third party to resolve the issue.”

Originally published as ‘Juicy customer data’ belonging to thousands of Aussies leaked from Nine