Records of up to 10 million users belonging to Pray.com, a provider of daily Christian prayers and faith-based audio content, have been found exposed online in the latest case of unsecured cloud data.

Discovered by researchers at vpnMentor and reported Nov. 19, the 1.19 million files relating to 1 million to 10 million users dating from 2016 to present were founded exposed to all and sundry on an Amazon Web Services Inc. S3 bucket, then later on AWS Cloudfront.

The exposed data included names, phone numbers, addresses, marital status, email address, photos, donation lists and more. In some cases, the records included usernames and passwords for private accounts.

AWS S3 data exposures — not the fault of Amazon, which gives ample explanation on how to secure storage — are a dime a dozen. Where this case becomes more interesting is with the involvement of Cloudfront, Amazon’s content delivery network.

“Pray.com seemingly overlooked installing proper security measures on its CloudFront account,” the researchers explained. “As a result, any files on the S3 buckets could be indirectly viewed and accessed through the CDN, regardless of their individual security settings.”

The S3 bucket was discovered Oct. 3 and the researchers reached out to the company four times until eventually receiving a response Nov. 17. They also contacted Amazon twice in October to inform it that the data was exposed.

The response received, however, was not one that would usually be expected. Instead of responding to the four emails from the researchers with a confirmation, Pray.com Chief Executive Officer Steve Gatena responded with an email that simply read “unsubscribe.” Pray.com has not publicly commented on the report even when contacted by Fox News.

Along with the risks to users ranging from phishing, scams, account takeovers and more, Pray.com will likely face legal action under the California Consumer Privacy Act. Along with having users in California, the company is also based in the state. Given that some of its users are based in the European Union the company is also liable under the EU’s General Data Protection Regulation.

“The unintentional but unfortunate exposure of personal data for which Pray.com is responsible for care-taking should remind every organization to rethink their data security for cloud-based applications and storage,” Trevor Morgan, product manager with data security specialists comforte AG, told SiliconANGLE. “The assumption that cloud providers take care of every aspect of security for their enterprise customers is a faulty one. Each organization bears the responsibility to provide an adequate level of data protection for information they process or store in their cloud repositories.”

Because data within the cloud is frequently “in motion,” more traditional perimeter-based mechanisms can fall far short of effective, he added. “Organizations should consider data-centric protection methods such as tokenization and format-preserving encryption because they protect the data throughout its entire journey and lifecycle, obfuscating the sensitive information instead of depending on the perimeter security around that data,” he said.

Image: Pray.com