Information collected by the United States Department of Defense, including two Pentagon unified combatant commands, was left exposed online for anyone to access, according to security researcher Chris Vickery.

The director of cyber risk research at cybersecurity firm Upguard discovered three Amazon Web Services (AWS) S3 cloud storage buckets that were configured to allow any person with an AWS global authenticated account to download the information stored in the servers. AWS global authenticated accounts can be acquired through a free sign-up process.

The databases belonging to the U.S. Defense Department contained at least 1.8 billion internet posts scared by intelligence services from news sites, comment sections, web forums and social media including Facebook. The data spanned collected over an eight-year period.

The information, which dates back as far as 2009, was collected by U.S. Central Command (CENTCOM) and U.S. Pacific Command (PACOM)—two Pentagon unified combatant commands charged with U.S. military operations across the Middle East, Asia, and the South Pacific.

Most of the data is believed to have been publicly accessible information and did not contain any sensitive personal information—unless a person was sharing such information in one of the posts collected by U.S. intelligence.

Sites from which the content was scraped from vary widely. While Facebook was one of the most popular destinations for information gathering by the apparent military intelligence operation, Upguard researchers said the database contained archives of everything from soccer discussion groups to video game forums.

The posts were also made in a number of different languages, though many were in Arabic, Farsi (a language commonly spoken in Iran and Afghanistan), and a number of Central and South Asian dialects spoken in Afghanistan and Pakistan.

Given the content of the databases and the general emphasis on regions where radical terrorist groups are believed to be active and present online, it could be assumed that the information is part of a large-scale surveillance operation being conducted by the U.S. military.

What isn’t clear from the information is why the specific posts included in the database may have been sucked up. While some of the posts reportedly contained political content, others were innocuous and would not give the appearance of any sort of radicalization or malicious intentions.

The leak also raises new questions about privacy and civil liberties. Upguard reported that the database did include some content that appeared to originate from U.S. citizens. There is no clear indication as to why those posts, primarily from Facebook and Twitter, were included in the database.

Upguard’s Vickery first discovered the exposed databases online on September 6. The databases were configured to allow anyone with an AWS authenticated account to access it. By default, Amazon S3 servers are set to private, meaning a user would have to change the settings in order to make the information available publicly.

The U.S. Defense Department confirmed the exposure to CNN. A spokesperson for the department said, “We determined that the data was accessed via unauthorized means by employing methods to circumvent security protocols. Once alerted to the unauthorized access, Centcom implemented additional security measures to prevent unauthorized access."

RELATED STORIES
Security Pakistan Afghanistan Security