21 Buttons La Plataforma APP S.L., a Spain-based technology startup that offers a fashion social network and clothing shop, has suffered a data breach with the records of its users found exposed online.

Discovered and publicized today by researchers led by Noam Rotem at vpnMentor, the data was found on an unsecured Amazon Web Services Inc. S3 cloud storage bucket. It included 50 million pieces of data, including social media posts and profiles, invoices, full names, addresses, postal codes, bank details, nation ID numbers, PayPal email addresses and in some cases the value of sales commission earned through the app.

Found in the data were details of payments made to hundreds of influencers around Europe, including Carlota Weber Mazeucos, Freddy Cousin Brown, Marion Caravano, Irsa Saleem and Danielle Metz.

Although the service and the “influencers” would be unknown to many, the company is venture capital-funded. According to Crunchbase, 21 Buttons has raised $30.7 million in venture capital funding from investors including 360 Capital Partners, Sabadell Venture Capital, Kibo Ventures, Breega, Idinvest Partners, JME Ventures, Samaipata and Sputnik Capital.

VpnMentor discovered the data breach on Nov. 2 and informed 21 Buttons three times of its exposed data, on Nov. 5, Nov. 12 and Dec. 8, with no initial response. The researchers also contacted AWS on Nov. 10 and Dec. 8 about the exposed data. The first response was Dec. 22, with a message saying only that the breach notification had been forwarded to “the correspondent department.”

As with all data exposures of this type, the risk of personally identifiable information being exposed is a gold mine for cybercriminals who can use the data for phishing, identity theft and other nefarious purposes. That it involved so-called “influencers,” celebrities of sorts, adds another dimension to the arguably pathetic security deployed by a company that should have known better.

“Most social media influencers try to keep their PII data secret and completely hidden,” the researchers noted. “However, by exposing their contact details, home addresses and national ID numbers, 21 Buttons has compromised the privacy of everyone affected.”

Given the company is based in Spain, it’s also bound by the European Union’s General Data Privacy Regulation. The fact that it has been informed of the data exposure for more than six weeks and failed to act upon the information could result in its getting fined or facing legal action.

Image: 21 Buttons