UPDATED 22:33 EDT / JULY 02 2020

vshred SECURITY

Customer data from fitness firm V Shred exposed on misconfigured cloud storage

Data relating to at least 99,000 customers of fitness company V Shred LLC has been exposed online in yet another case of misconfigured cloud storage.

Discovered by security researchers Noam Rotem and Ran Locar at vpnMentor and reported today, the unsecured data was found in an Amazon Web Services Inc. S3 bucket. The data, which came in at a sizable 606 gigabytes, included about 1.3 million files relating to V Shred customers.

The database included full names, home addresses, email addresses, phone numbers, birthdays, Social Security numbers, spouse names, social media accounts, gender, health conditions, age range, citizenship status, usernames and passwords. The database also included account profile photos, “revealing” before and after photos and custom meal plans.

The exposed database was discovered on May 14, with V Shred contacted May 18. After no response from the company, the researchers then contacted AWS May 20. AWS responded June 1 and the database was taken offline June 18.

The large amount of personally identifiable information exposes all customers in the database to phishing attacks let alone other criminal activities such as identity theft. V Shred has not commented publicly on the report as of the time of writing.

“Leaving a database publicly accessible without any security barriers in place is one of the most common yet easily preventable causes of data leaks and breaches,” Chris DeRamus, vice president of technology, cloud security practice and security operations firm Rapid7 Inc., told SiliconANGLE. “With the self-service nature of the cloud, users may not be adequately familiar with cloud security settings and best practices, resulting in devastating data leaks. Although any evidence of misuse has not been confirmed, the information that was exposed is highly valuable to bad actors, who harvest this kind of data to sell on dark web marketplaces or to launch future attacks against the impacted individuals.”

Anurag Kahol, chief technology officer at cloud access security broker Bitglass Inc., noted that bad actors often leverage tools that detect misconfigurations in information technology assets such as an AWS database.

“To safeguard customer data, organizations must have full visibility and control over their data in order to prevent breaches and leaks,” Kahol said. “This can be accomplished by employing advanced security solutions that remediate misconfigurations, enforce real-time access control, encrypt sensitive data at rest, manage the sharing of data with external parties and prevent the leakage of sensitive information.”

Photo: V Shred/Glassdoor

Since you’re here …

Show your support for our mission with our one-click subscription to our YouTube channel (below). The more subscribers we have, the more YouTube will suggest relevant enterprise and emerging technology content to you. Thanks!

Support our mission:    >>>>>>  SUBSCRIBE NOW >>>>>>  to our YouTube channel.

… We’d also like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.

If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.