The official website of Republican presidential candidate and serial twitterer Donald Trump leaked the resumes of more than twenty aspiring interns.
The resumes were stored in an insecure Amazon cloud server that was accessible for anyone who knew where to look. Chris Vickery, a researcher from security firm MacKeeper, who has specialized in finding insecure and exposed databases online, found the data last week, before alerting Trump's campaign. The leak has now been fixed, but the resumes were left exposed for weeks, if not longer.
"The official Trump site's repository misconfiguration was pretty bad," Vickery told Motherboard. "If my initial findings are correct, then any file in that S3 bucket could have been downloaded."
Trump's IT team, or whoever was responsible for the server, misconfigured an Amazon S3 bucket. It wasn't possible to just get a list of all the exposed files, but if you guessed the filename (an example of a real exposed one was: http://assets.donaldjtrump.com.s3.amazonaws.com/resumes/resumes.docx), you could download it, Vickery explained, adding that he didn't look any further but that it's possible that there were more documents exposed.
"We'll probably never know how bad the exposure really was or what other files I could have found," Vickery wrote in a blog post published on Wednesday.
The information on the resumes isn't that sensitive. Most included email addresses, cellphone numbers, and, of course, the applicant's work history. One, for example, listed having worked as an intern at the NSA. Whether this is something that shouldn't be on the open internet probably depends on your own definition of privacy.
"I don't really care," one of the aspiring interns told Motherboard.
Another aspiring intern, who asked to remain anonymous, seemed amused when he found out how his data got exposed.
"Oh lol, so it wasn't even deliberate," he said. "Sucks that it was up for who knows how long, but my info is already in the hands of about every telemarketer and spam emailer in the world."
While the applicant said he wasn't too concerned about the leak, he did criticize the Trump campaign.
"I'm convinced at this point that the Trump campaign has gleefully handed the reins of anything resembling organization to a gang of baboons, because baboons were determined to be the cheaper alternative," he told me.
"I'm convinced at this point that the Trump campaign has gleefully handed the reins of anything resembling organization to a gang of baboons"
The Trump campaign did not respond to a request for comment. But MacKeeper reported that the resumes were no longer publicly accessible on Tuesday, after they alerted the campaign with the help of Dissent Doe, the admin of databreaches.net.
The website of a pro-Hillary political action committee, the Balance of Power PAC, also unintentionally leaked data through misconfigured Amazon S3 buckets, MacKeeper's Vickery found. In this case, instead of intern's data, the leak exposed donor details, including full name, home address, email address, phone number, and Facebook ID.
A spokesperson for the Balance of Power PAC said that the data was housed by "a former vendor," and that the PAC is no longer using their services.
"The data should have been deleted by now from their servers. We were not aware that they had not taken down the data," Sam Deskin of Balance of Power PAC told Motherboard in an email. "All of that being said, most of the data is publicly available in our FEC filings with the exception of the phone numbers and email addresses. There was no financial data as we do not maintain that information."
While these are not disastrous leaks, in light of the recent data breaches on US political targets, one might wonder: Who needs Russian hackers when the presidential candidates accidentally leak data themselves?
"Let's just hope that Donald's team learned a good lesson here," Vickery wrote in his post. "And, if he is elected, that they are capable of guarding national assets better than their website's assets."
Get six of our favorite Motherboard stories every day by signing up for our newsletter.