Weight loss company Weight Watchers International Inc. is claiming that the chances that hackers have stolen data from its servers are slim after it was discovered that the company failed to password-protect a cloud instance used for managing application containers.

For something different in the age of seemingly never–ending Amazon Web Services’ S3 instance exposures, the Weight Watchers’ data exposure involved failing to password-protect a Kubernetes instance that held all the password data for its other cloud-based services. Not surprisingly, that included passwords for AWS S3 instances.

“The words ‘public without password’ and ‘administration interface’ should never go together,” Kromtech Security researchers, who discovered the data exposure, said in a blog post Friday. “By not properly protecting the administration console, Weight Watchers provided all the keys and information needed to gain full root access to their entire cluster. It was too easy.”

Ben Johnson, chief technology officer and co-founder of  Obsidian Security Inc., told SiliconANGLE that the data exposure is highly newsworthy as “much of a hackers’ efforts are devoted to attaining, and then maintaining access, so finding exposed root credentials is like walking into a bank to find the vault left wide open.”

Given how common large-scale exposures of sensitive info have become, he added, “enterprises must ensure that credentials are extremely well protected. As some security experts put it, hackers often don’t break-in, they log in. We all need to keep better tabs on our credentials, our privileges, and our overall identities.”

Khash Sajadi, chief executive officer and co-founder of Cloud 66 Ltd., said that “while there’s no substitute for best practices, good, not even great security practices could easily have prevented this issue from happening.”

Developers need access to the Kubernetes cluster all the time, he noted, but “it’s important to ensure that if the cluster is opened up no one forgets to close it. This can occur with firewalls too, but best practices are well-known in that space, while in the Kubernetes world they are not.” He said that’s further proof both developers and operations staff need to work together and use tools that are built for containers.

“Teams need to find that balance between developer freedom (to focus on code, and commit as fast as possible, using self-service mechanisms) and operational governance (how to keep all those aspects of developer freedom within infrastructure and security policies) and it can be a sizeable challenge in any environment,” he said.

And that’s “exponentially” more important when it comes to Kubernetes. “Developers shouldn’t have to manage configuration, secrets or own security, and operations shouldn’t do manual tasks that slow down development, unless the policy states so,” Sajadi said. “The Weight Watchers incident is a great example of why it’s critical to monitor infrastructure to ensure you can identify areas of misconfiguration and prevent potential threats before they’re exploited.”

Chris Ford, vice president of product at Threat Stack Inc., noted that though containers are a great service, they can also dramatically increase the available attack surface because containers are addressed individually.

“In order to securely deploy containers, enterprises need to embrace tools that provide continuous monitoring of infrastructure, including containers, host, and host environment,” Ford said. “Unauthorized access to containers is just one example of potential risks that can be identified prior to an incident through proactive configuration audit and risk monitoring.”

Picture: jeepersmedia/Flickr