Ghost in the Machine
vCISO ChroniclesEPISODE 1: Ghost in the Machine
02:14 AM. Kali Linux online. OSINT scanner firing up. 44 domains in the queue. One objective: find what nobody’s looking for.
The terminal hums. gau is crawling through AlienVault, Wayback Machine, CommonCrawl.
subfinder is pulling subdomains from a dozen sources simultaneously.
The room is dark except for the purple glow of the monitor.
I’m not a hacker. I’m a vCISO – a virtual Chief Information Security Officer. Companies hire me to find their cracks before someone else does. Tonight, I’m hunting across 44 domains. Some are startups. Some are VC firms. Some are fintech. None of them know I’m looking.
04:58 AM. Scan complete.
337,853 URLs. 3,184 PDFs. 5,184 test environments.
One public AWS S3 bucket. Production data. Zero security.
Anatomy of the Find
The S3 bucket belonged to a mid-sized software house serving the fintech sector.
Classic mistake: a Friday deployment. The CI/CD pipeline overwrote the access control lists.
private became public-read.
.env Files
API keys to payment gateways. Stripe. PayPal. Production keys. Not test keys.
Staging Database
Labeled „staging” but contained 15% real customer data. Names. Emails. Hashed passwords.
KYC Scans
Scanned driver’s licenses and passports from Know Your Customer processes. Fully exposed.
Root Cause
One line in a Terraform config. acl = "public-read" instead of "private". That’s it.
vCISO Perspective: Putting Out the Fire
As an external security director, I don’t do blackmail. I don’t do „pay me or I leak this.” My job is protection – sometimes even for companies that haven’t signed my contract yet. This is responsible disclosure.
Step 1 – Secure Evidence: Screenshots of the bucket configuration.
CloudTrail logs. Timestamped proof. If this ever goes to court, I need the paper trail.
Step 2 – Crisis Contact: Call the CTO at 05:15. No answer.
Call the CEO at 05:22. Groggy voice. After „KYC data leak” – instantly awake.
Step 3 – Triage: Within 12 minutes of the call, the bucket was locked down.
Public access disabled. All keys rotated.
Step 4 – Forensic Analysis: CloudTrail logs checked.
Had anyone else accessed the bucket before me? The answer: thankfully, no.
This time.
The Takeaway
You don’t need to be a tech giant to suffer from a misconfiguration like this.
Hackers rarely „break in” anymore. They just log in – or find open doors.
▶ Today’s Golden Rule: Test your cloud permissions right now.
Run cloud-custodian or prowler against your AWS account.
Don’t let a vCISO’s robots be the first to discover your open window.
Domains Scanned
URLs Discovered
To Close the Leak
Hostile Downloads
Is Your AWS Bucket Public Right Now?
Most companies don’t know until someone tells them. That someone should be us – not a hacker.
Get a Free External Scan Email MeRoman Orłowski
vCISO & Founder of ROCyber Solutions. 15+ years in IT security. Former SOC analyst at William Hill. Building OSINT tools at 2 AM. Writing real stories from the cybersecurity underground.
