Let’s imagine that you store usernames and passwords in cleartext in the S3 bucket. Let’s assume that access to the entire bucket is configured properly and the “Access Denied” error returned, as shown below.
However, with a certain request to Google, we see that the files in the S3 were indexed.
After opening the file we get so many accounts hijacking… (of course don’t forget about bypassing geolocation/trust device protections, etc)
Don’t store sensitive information in cleartext, especially the username & password combination :)