Social media star data exposed in new season of ‘Let’s Misconfigure Our AWS Storage’
After a quiet winter, a new season of misconfigured Amazon Web Services Inc. storage buckets takes us across the Atlantic to the bright lights of Paris with a company catering to social media stars exposing their details online.
Discovered once again by security researcher Chris Vickery at UpGuard Inc., the Mark Burnett of the story, the exposed database belongs to Octoly, a brand marketing firm that claims it is all about “empowering influencers to become successful entrepreneurs.” If you don’t follow the world of social media stars on platforms such as YouTube and Instagram, so-called “influencers” and “creators” can obtain deals to promote brands in return for money or free products, with agencies such as Octoly acting as the middleman between the two.
Vickery stumbled across an exposed, publicly shared AWS S3 cloud storage bucket labeled simply “octoly” Jan. 4. After downloading it, he discovered that it contained:
-
Personal information for over 12,000 creators including their real names, addresses, phone numbers, email addresses as well as details specified for use with PayPal and birth dates as well.
-
Thousands of hashed user passwords that if decrypted could lead to password reuse attacks against various online accounts belonging to creators — with usernames also included for good measure.
-
A list of more than 600 brands using Octoly’s influencing services, including Dior, Estée Lauder, Lancôme and Blizzard Entertainment.
-
12,000 Deep Social reports, described as a “highly detailed and specific analysis of creators’ online influence,” generated for each individual registered with Octoly, that could be damaging if made available to competitors.
“The potential for identity theft, password reuse attacks and account takeovers of affected creators, launched by malicious actors, is considerable,” a spokesperson for UpGuard told SiliconANGLE. “This cloud leak raises the prospect of established internet personalities facing harassment or misuse of their actual personal details in their real lives, a common and increasingly dangerous phenomenon online, while the exposure of popular internet gaming personalities invites the danger of gruesome ‘SWATting‘ attacks on their homes.”
Vickery did not name some of the social media “influencers” who were exposed in the data breach, but it does add a somewhat glamorous twist for the first of what is probably going to be another long season of AWS storage misconfigurations.
Last season ended with a bang when it was disclosed that data on 123 million U.S. households gathered by Alteryx Inc. had been found unsecured and open to the public, possibly the biggest case of a company failing to secure data on AWS. Highlights from earlier in the season included AWS-related data exposures from Accenture PLC, U.S. Army Intelligence and Security Command, Verizon Communications Inc. and the U.S. military contractor TigerSwan.
Photo: Brittany Venti/Change
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join our community on YouTube
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.
THANK YOU