The File That Contained the Keys Has Been Removed: An Analysis of Secret Leaks in Cloud Buckets and Responsible Disclosure Outcomes
SOUFIAN EL YADMANI
fwd:cloudsec Europe 2025 · Day 2 · Main Room
Soufian El Yadmani, CEO of Dutch security startup Modat and PhD candidate at Leiden University, presented peer-reviewed academic research analyzing secret leaks in publicly exposed cloud storage buckets across four major providers—**AWS S3**, **Azure Blob Storage**, **GCP Cloud Storage**, and **DigitalOcean Spaces**. The research analyzed approximately half a million exposed buckets, identified 215 valid credential leaks across 160 organizations, conducted responsible disclosure to all affected parties, and systematically measured how organizations responded to the notifications. The findings reveal that cloud bucket credential exposure remains a pervasive and cross-industry problem, that leaked credentials provide attack paths far beyond the bucket itself (including lateral movement, privilege escalation, and third-party compromise), and that 40% of notified organizations failed to remediate during the research period—with many who did remediate making critical mistakes like deleting the file without revoking the exposed credentials.
AI review
A large-scale empirical study that quantifies what most of us already suspect — publicly exposed buckets are full of valid credentials that enable deep lateral movement. The responsible disclosure data and remediation failure analysis add genuine novelty to an otherwise well-trodden topic. The attack chains demonstrated (CrowdStrike Falcon access, 230-bucket cascade, Slack-to-prod pivoting) show real impact.