Dow Jones Cloud Leak Exposes Data of Millions of Subscribers – Veri Sızıntısı
Live
Search
Company
About Founder's Note Press & Media Privacy Policy Terms of Service FAQ Brand Kit
Products
HUBOne HUBCorp Coming Soon Veri Sızıntısı Android Coming Soon Veri Sızıntısı iOS Coming Soon Veri Sızıntısı Huawei Coming Soon Breach Radar Argus Flow Argus Engine LivePlatform
Technologies
What is Argus AI? Try on HUBOne What is Argus Flow? What is Argus Engine?
Blog Contact

Dow Jones Cloud Leak Exposed Data of Millions

A misconfigured cloud server belonging to Dow Jones, the parent company of The Wall Street Journal, left the personal and financial data of millions of subscribers unprotected. The leak, discovered by cybersecurity firm UpGuard, is proof of how a simple mistake can have massive consequences.

A cloud and a broken padlock icon superimposed over the Dow Jones logo

What Happened

It all started with that familiar scenario again. A major corporation, owner of some of the world's most respected financial publications, leaves a door wide open somewhere in the cloud. This time, the company on stage is Dow Jones & Company, the parent of publications like The Wall Street Journal and Barron's. Cybersecurity researchers discovered that one of the company's Amazon Web Services (AWS) S3 storage buckets was completely unprotected and publicly accessible. That means anyone who knew the right address could access sensitive information on millions of subscribers without facing any obstacles, not even needing a password.

The incident was brought to light by the cybersecurity firm UpGuard, known for its work scanning for these kinds of open servers. During their routine checks, researchers stumbled upon this massive treasure trove of data. Let's be clear, this was not a hack. No one wrote complex code to breach Dow Jones's systems. The situation is much simpler, and perhaps that's why it's more tragicomic: someone configured a setting incorrectly. A server was marked 'public' instead of 'private,' and nobody noticed. Not until UpGuard researchers came knocking.

Leaks of this nature are one of the most common yet most preventable problems in the cybersecurity world. As companies focus on the flexibility and power of moving their data to the cloud, they can overlook the most basic security protocols. A single wrong click by a developer or a system administrator can leave the data of millions of people exposed in the middle of the internet. The Dow Jones case is a textbook example of this. Millions of dollars in security budgets, software, consultants... all seem to have been rendered useless by a single misconfiguration.

Has your email been leaked? Check for free — results in seconds.

Check Now →

The Data Exposed

So, what exactly was in this unlocked digital safe? The list is quite long and, considering the clientele of a financial publishing giant, quite valuable. According to UpGuard's report, the leaked database contained information on somewhere between 2.2 and 4 million subscribers. Here's a breakdown of some of that data:

  • Personally Identifiable Information (PII): Full names, home and business addresses, email addresses, and phone numbers. This is the basic arsenal required for fraudsters to target an individual.
  • Subscription Details: Information on which publication they subscribed to (The Wall Street Journal, Barron's, MarketWatch, etc.), their subscription types, and how much they paid.
  • Account Information: Usernames and other account-related identifiers. One of the most worrying aspects, though not specified in the report, is the possibility that passwords in such leaks are often poorly protected (e.g., hashed with an old algorithm like MD5).
  • Partial Financial Data: Perhaps the most sensitive part. The leaked data also included the last four digits of customers' credit cards. While not a full card number, this information can become a powerful weapon when combined with other personal data. When scammers call you and say, "Mr. Smith, there's an issue with your card ending in 1234," this piece of information makes them far more believable.

The combination of this data represents much more than a simple data leak. It's a treasure trove that could be used to build detailed profiles of some of the world's most influential business people, investors, and politicians. Information about who reads which financial news, where they live, and what email address they use can be exploited for sophisticated phishing attacks and even blackmail. The exposure of a CEO's home address and phone number, combined with knowledge of their interest in specific financial analyses, creates security risks far greater than one might imagine.

How the Attack Happened

The technical side of this is surprisingly simple. Dow Jones was using Amazon's S3 service for data storage. You can think of S3 as a gigantic digital warehouse on the internet. These warehouses are called "buckets," and each bucket has access settings. By default, these buckets are private, meaning only authorized individuals can access them. However, a user can change this setting and make a bucket "public." This is precisely where the disaster began.

It appears that the permissions for at least one of Dow Jones's S3 buckets were set to require no authentication. This meant that anyone who knew the bucket's URL, or discovered it with scanning tools, could browse and download the files within. Was it human error? Most likely. An employee might have changed the setting for a temporary file share and forgotten to change it back. Or, an automated script might have been misconfigured, resetting the security settings. Whatever the cause, the result is the same: the data of millions was left in an unlocked safe.

This incident once again highlights the "shared responsibility model" of cloud security. Cloud providers like Amazon are responsible for the security *of* the cloud—the physical security of servers, the network infrastructure. However, the customer—in this case, Dow Jones—is responsible for security *in* the cloud. That means correctly configuring the security of the data and applications they place on that infrastructure. Dow Jones failed to use the security tools provided by Amazon correctly, paving the way for this massive leak. In short, there's no hacker to blame. There's only a mirror.

Who Is Affected

The victims of this leak are the millions of people who pay for Dow Jones publications and trust the company with their data. The list is quite extensive:

  • The Wall Street Journal Subscribers: Readers of one of the world's largest business and finance newspapers. This audience consists of CEOs, top executives, investors, and academics—all high-value targets for identity theft and phishing attacks.
  • Barron's Subscribers: Another prestigious publication, specifically targeting investors and market professionals. Their financial assets and interest in market movements make them prime targets for fraudsters.
  • Users of Other Dow Jones Properties: Users of popular financial news sites like MarketWatch or corporate services like Factiva could also be at risk. Although the full scope of the leak is not yet clear, it's safest for anyone who has subscribed to any service under the Dow Jones umbrella to assume they are potentially affected.

And it's not just current subscribers. Due to corporate data retention policies, the data of millions who have canceled their subscriptions in the past may still have been on these servers. So even if you ended your WSJ subscription years ago, your data could still be part of this leak, further expanding its potential impact.

What You Can Do

If you are or were a subscriber to a Dow Jones publication, now is not the time to panic, but to act wisely. Here are some non-cliché steps tailored specifically to this breach:

1. Prioritize Your Passwords: It's easy to say "change all your passwords," but it's not realistic. Do this instead: Do you use the same password for your Dow Jones accounts anywhere else, especially for critical services like email or banking? If yes, change the passwords for those critical services first. Attackers will take these leaked passwords and use automated tools to try them on other platforms. This technique is called 'credential stuffing,' and it's highly effective. Your Dow Jones password can be your second priority.

2. Be Paranoid About Phishing: For the next few months, be extra vigilant about messages you receive via phone and email. Scammers now know which publication you subscribe to, your address, and the last four digits of your credit card. You will receive highly personalized and convincing fake emails like, "Dear John Smith, we were unable to renew your Wall Street Journal subscription with your card ending in 4567. Please click here to update your information." Remember: Dow Jones will never ask for your password or full credit card number in an email. If you receive a suspicious email, do not click any links inside it. Instead, open your browser and manually type wsj.com or the relevant site's address to log into your account.

3. Monitor Your Credit Card Statements and Bank Accounts: While no full credit card numbers were leaked, this information can be combined with data from other sources to commit fraud. Over the next few months, review your credit card statements line by line. Even a small, unfamiliar charge could be a sign that your card details are being tested. Contact your bank immediately.

What the Company Is Saying

The initial response from Dow Jones was, as expected, couched in corporate language. A company spokesperson confirmed they were notified by UpGuard and that access to the server in question was immediately shut down. The statement said, "The security of our customers' data is our highest priority. We have launched an investigation to understand the incident and are taking steps to notify affected customers."

However, the company left key questions unanswered, such as how long the data was exposed or who might have accessed it during that time. They also tried to downplay the situation by stating that the leaked data did not include "full credit card numbers, social security numbers, or other sensitive personal identification." While technically true, this doesn't change the fact that the combination of leaked PII and partial financial data can be extremely dangerous. The company is expected to release a more detailed statement and contact affected users directly in the coming days. For now, it seems the best course of action for customers is to take their security into their own hands.

Source

https://www.upguard.com/breaches/cloud-leak-dow-jones

Share This Article
X LinkedIn WhatsApp
← Previous Post Charter Breach Could Expose Nearly 5 Million People Next Post → Security Firm APIsec Leaks Its Own Customer Data

Weekly Newsletter

Curated data breach news delivered to your inbox every week.