The data didn’t include anything more than the email addresses, so the potential for abuse was relatively small. However, it’s concerning that the S3 bucket gave everyone “full control,” letting people not only modify the list but change access permissions.

The DSCC locked down its cloud storage within hours of UpGuard reporting the finding on July 26th. It’s not clear if anyone outside of the DSCC had accessed the data before the discovery.

Whatever happened with the email list, the incident highlights how online campaign security has changed (and not) over the past several years. Official weren’t as acutely aware of the digital threats from Russia and other hostile actors, not to mention the overall consequences of leaving databases vulnerable — now, even a ‘modest’ failure like this considered problematic. With that said, there are still gaping security holes in the US political system, and it’s concerning that the DSCC didn’t catch this mistake on its own.