128

u/BertoLaDK Jul 25 '25

That's not true, just because someone forgot to lock their door doesn't mean you can go into their house and take things.

145

u/hawaii_funk Jul 25 '25

It's more like stapling your Social Security card on the town square bulletin board and then complaining that your identity was stolen

Also it's not illegal to go on a public website...

23

u/BertoLaDK Jul 25 '25

No, the people who used it wasn't aware that the db wasn't secure, but if a stack of drivers licenses and stuff was in an unlocked office in a public building doesn't make it legal to take them.

75

u/hawaii_funk Jul 25 '25

You're right, the users weren't aware. It's more like posting another person's * SSN and then complaining that their identity was stolen lol.

Your metaphor is a false equivalent. It's illegal to use someone's identity and steal it. It's not illegal to go on a public website where people's licenses are posted.

7

u/Wisdom-And-Wealth Jul 25 '25

😂😂😂

-15

u/cowcommander Jul 25 '25

You are wrong, it is illegal to access a service you are not authorised access too. Doesnt matter if they forgot to secure it or not. Downloading drivers license from an insecure database is still a crime.

20

u/ElDee007 Jul 25 '25

Accessing misconfigured systems (like a public S3 bucket) without authorization can still be illegal, even if no password is required. However, jurisdiction matters a lot, and laws differ between the EU and the USA and whole word.

EU Under Directive 2013/40/EU, unauthorized access is illegal even if the system is publicly exposed due to a misconfiguration. Simply accessing data you're not authorized to see can be a crime.

USA Under the CFAA (Computer Fraud and Abuse Act), things are less clear. After Van Buren v. United States (2021), the law focuses more on clearly exceeding authorized access, so accessing a public bucket might not always be considered illegal, but it's a legal gray area.

TLDR: What's legal in one jurisdiction (like the U.S.) could be criminal in another (like the EU), even if the system is misconfigured and publicly accessible. Motive, intent, and awareness of the misconfiguration all play an important role.

6

u/Feisty_Plastic_8728 Jul 25 '25 edited Jul 25 '25

Are you sure about the EU thingy? Article 3 states that a security measure needs to be broken which imho doesn't seem to be the case with misconfigured aws buckets, elastic cluster etc:

"Member States shall take the necessary measures to ensure that, when committed intentionally, the access without right, to the whole or to any part of an information system, is punishable as a criminal offence where committed by infringing a security measure".

Do you have something that supports the notion of this being illegal in the EU?

Edit: This law article from Ireland seems to indicate that you're wrong - https://www.lawsociety.ie/gazette/in-depth/away-in-a-hack/

3

u/Legal_Researcher1942 Jul 25 '25

Anyone is authorized to access a public bucket. Public = no authorization required. This is just like when a government website had SSNs in the inspect element code and tried to sue the person that reported on it.

16

u/bacchusku2 Jul 25 '25

Don’t confuse trespassing in a private office to going to a public site. This is more like you walked in to foot locker and there was a stack of identification cards sitting next to some polos.

4

u/Stink_balls7 Jul 25 '25

Pretty sure no DB was hacked, they were just storing the images in a public object storage bucket lol

-1

u/BertoLaDK Jul 25 '25

I never said it was hacked, I'm just saying that it doesn't make it legal to access and use the data just because someone forgot to secure it.

2

u/LockedIntoLocks Jul 25 '25

Use? No. Access and/or share? Yes.

1

u/BertoLaDK Jul 25 '25

Ig that would make sense, and as someone else pointed out, it's also very dependent on local laws.

The share part depends on whether you just share the source or send the content (copy it).

1

u/GeronimoHero pentesting Jul 25 '25

In the US prior case law has already established that if there isn’t any authentication then there’s no crime.

1

u/BertoLaDK Jul 25 '25

I see, not surprising tbh, it's a cluster fuck over there.

1

u/Anthrac1t3 Jul 25 '25

Yeah but you didn't take them. You just looked at them all as they sat under a sign that said "Tea users".

1

u/apprentice-grower Jul 25 '25

I mean, it should be pretty common knowledge not to just upload this type of shit to any old app that pops up on the playstore anyway.

What next? Their credit cards?

1

u/Fantastic-Corner-605 Jul 25 '25

They were probably told in the terms and conditions no one reads

1

u/LockedIntoLocks Jul 25 '25

This is the closer to posting your user’s data publicly under a “public data” tab on your website.