Kromtech found "more than 4 million records" spanning November 26, 2010 to July 7, 2017 "with Transaction ID, user names, Mac addresses, Serial Numbers, Account Numbers, Service, Category details, and more", it says.
The information exposed appears to be related to TWC customers that had used the MyTWC app, which was developed by BroadSoft. In some cases, there were duplicated records, implying that the 4 million leaks may be half. On top of that, the large size of the discovered files impaired researchers from learning the exact number of exposed persons. On the other hand, there were no leaks of credit card numbers or Social Security information.
The exposed repository also contained a trove of internal company records including SQL database dumps, internal emails, codes with access credentials, access logs and more.
The breach was discovered by a third party firm that was working to resolve a data breach at another company.
"We see more and more examples of how bad actors use leaked or hacked data for a range of crimes or other unethical purposes", said Bob Diachenko, Kromtech's chief communications officer.
Publication of the breach, which Kromtech detailed on its website Friday, was delayed so that BroadSoft could privately alert its customers. But the researchers did make a move in reviewing password protected data which means these records are possibly vulnerable to anonymous sources. The company also does not believe it was accessed by anyone with malicious intent.
"We immediately secured these Amazon S3 bucket exposures and are continuing to aggressively investigate these exposures and will take additional remedial actions as needed", the spokesperson told Gizmodo.
Charter Communications - which acquired Time Warner Cable in 2016 and renamed it as Spectrum - said the exposed information was immediately removed after the discovery and the incident is now being investigated along with BroadSoft.
Furthermore, there is nothing to suggest that Charter systems were affected. "As a general security measure, we encourage customers who used the MyTWC app to change their user names and passwords".