Security News > 2021 > February > European volleyball org's Azure bucket exposed reporter passports

European volleyball org's Azure bucket exposed reporter passports
2021-02-01 15:45

A publicly exposed cloud storage bucket was found to contain images of hundreds of passports and identity documents belonging to journalists and volleyball players from around the world.

Reverse-image searches for headshots revealed that these well-known European volleyball players were either directly associated with CEV or were part of a volleyball team or federation affiliated with the CEV. BleepingComputer also found some of CEV's assets in the bucket, such as branding images with CEV logos on them.

In all cases, BleepingComputer received a positive affirmation from the media representatives and sportspeople that they had indeed submitted their documents to CEV. "I get my credentials for covering Volley Ball Olympic game qualifications with CEV," Ludovic Piedtenu, a correspondent of Radio France in Germany, told BleepingComputer.

On reviewing the HTML source code of CEV's Media Club Accreditation System webpages, BleepingComputer noticed links to the exposed accreditationstorage blob were present on these pages, further confirming the bucket was indeed linked to CEV [1, 2]. CEV silent for months, quietly removes files.

After having sufficient confirmation that the publicly exposed "Backup" storage bucket was linked to CEV, BleepingComputer reached out to CEV multiple times to report the leak.

BleepingComputer first reached out to CEV on November 24th, 2020 via email and on their "Out of hours" press helpline, but we did not hear back.


News URL

https://www.bleepingcomputer.com/news/security/european-volleyball-orgs-azure-bucket-exposed-reporter-passports/