Exposed Azure bucket leaked passports, IDs of volleyball reporters (2024)

A publicly exposed cloud storage bucket was found to contain images of hundreds of passports and identitydocuments belonging to journalists and volleyball playersfrom around the world.

These sensitive documents were hosted on aMicrosoft Azure blob storage share that was publicly accessible to anyone.

Further investigation byBleepingComputerrevealed that the source of the leak was Confédération Européenne de Volleyball (CEV), orEuropean Volleyball Confederation.

Researcher spots exposedAzure storage blob

In November 2020, cyber threat intelligence researcherBob Diachenkocame across a publiclyexposed online Azure storage blob that contained hundreds of image scans showing passports and identity documents.

On researchingthe names present onthese ID documents, Diachenkocould identify prominent journalists and media representatives who hadlikely submitted these scans as apart of some "accreditation" process.

BleepingComputerreached out to Diachenkoand learned that the location of the exposed storage share was:accreditationstorage.blob.core.windows.net/backup/.

This URL contained thousands of headshot imagesof volleyball players from Europe, Russia, and other countries in both the 'backup'directory and an 'AccreditationPhotos'subfolder.

Also present in the 'backup'directorywas a 'documents'folder that contained scans of passports, driver licenses,and identity documents belonging to sportsjournalists and volleyball players.

Links to these images were soon indexed byGrayhatWarfare, a search engine that captures publicly visiblebuckets.

Images traced back to European Volleyball Confederation (CEV)

BleepingComputer analyzed hundreds of files present within these directories, including the exposed player headshots and identity documents.

Reverse-image searches for headshots revealed that these well-known European volleyball players were either directly associated with CEV or were part of avolleyball team or federationaffiliated with the CEV.

BleepingComputer also foundsome of CEV's assets in the bucket, such as branding images with CEV logos on them.

Further, to confirm our findings, we contacted multiple journalists and sportspeople whoseidentity documentswere being exposedonline on this Azure blob.

In all cases,BleepingComputerreceived a positive affirmation from the media representatives and sportspeoplethat they had indeed submitted their documents to CEV.

"I get my credentials for covering Volley Ball Olympic game qualifications with CEV,"Ludovic Piedtenu, a correspondent of Radio France inGermany, toldBleepingComputer.

On seeing the image of the scan, Piedtenu confirmed that it was indeed a copy of hispassport that he had submitted to CEV to get his press credentialsso he couldcover games in Berlin betweenJanuary 5th and January 10th, 2020.

"Indeed I was accredited in some CEV events, most recently in January in Berlin for Olympic volleyball qualification and as far as I remember I had to provide details of my ID in order to get the accreditation card,"Tomas Kohlmann, a Czech Republic-based sports reporter toldBleepingComputer.

"I didn't give my passport to anyone. Only the CEV and the embassies of [Schengen countries]," a third source toldBleepingComputer.

CEV does have an online Media Club accreditation system,which enables media representatives and journalists to register and upload their identity documents for verification.

On reviewing the HTML source code of CEV's Media Club Accreditation System webpages,BleepingComputernoticed links to the exposedaccreditationstorageblobwere present on thesepages, further confirming the bucket was indeed linkedto CEV[1, 2].

CEV silent for months, quietly removesfiles

After having sufficient confirmation that the publicly exposed"backup" storage bucket was linked to CEV, BleepingComputer reached out to CEV multiple times to report the leak.

BleepingComputerfirstreached out to CEV on November 24th, 2020 (the same day of Diachenko's tweet) via email and on their "out of hours" press helpline, but we did not hear back.

We tried contacting CEV the followingday but still did not hear back.

Through December, we continued to reach out to different CEV departments, key personnel via email and LinkedIn, and former employees to inform the organization about the leak without anysuccess.

Finally, on December 11th, we received an acknowledgmentfrom CEV's legal department that they were investigating the issue, but within five minutes, the sender hadrecalledtheir message.

It remainsunclear when and how the publicly exposed bucket closed, but as ofJanuary 29th, 2021,the links within the 'backup'folder areno longer accessible, as observed byBleepingComputer.

Further, attempting to navigate toaccreditationstorage.blob.core.windows.net via the Microsoft Azure Storage Explorer application now throws an authentication error,"Server failed to authenticate the request. Please refer to the information in the www-authenticate header."

All of this indicatesthe bucket and the sensitive files contained were secured and areno longer publicly accessible.

"Thanks for your email and for reporting us this security issue. Indeed, the server is now secure, and we are working internally and with our processor to improve on the security of personal data in all the tools we use, and to improve our response plan in case of security incidents," a CEV spokesperson told BleepingComputer on February 2nd, 2021, after the publication of this article.

The spokesperson did not comment on whether the exposedsensitive fileswereaccessed by adversaries.

Casesof exposed cloud storage buckets leaking sensitive data have occurred time and time again.

Last year, anotherunsecured Azure blob belonging to a Cayman Islands investment firmexposed identity and financial documents.

In late 2019,BleepingComputerreported millions of Lion Air passenger records being exposed through buckets were exchanged on forums.

When storing sensitive data and backups in cloud storage buckets and blobs, it is mandatory that proper permissions be configured and to cross-checkif theseassetscould be accessed publicly.

Update 02-Feb-2021:Added statement from CEV received after press time.