Misconfigured AWS Bucket Exposes 12,000 Social Media Influencers’ Data

Security researchers have recently found that sensitive personal data of around 12,000 social media influencers from Instagram, Twitter, YouTube, & Twitch has been exposed in an unsecured Amazon server.

Researchers from UpGuard said that the data was leaked by a Paris based marketing agency Octoly that supplies social media stars with merchandise & products from top brands seeking reviews & endorsements.

Some of their clients include gaming giants such as Blizzard Entertainment & Ubisoft as well as beauty brands like Sephora, L’oreal, Dior, Estée Lauder & Lancôme.

Chris Vickery , director of Cyber Risk Research at UpGuard, discovered that the files were left in a misconfigured, publicly accessible Amazon Web Services S3 cloud storage bucket.

The database included influencer’s personal information such as their real names, dates of birth, phone numbers, addresses, email addresses & more.

Not only this, thousands of usernames & hashed user passwords were also leaked which could be potentially decrypted by cyber criminals as well as used to break into their accounts. According to the researchers, the social media influencers are predominantly young women, span across the globe from France to the rest of Europe & the US.

“This cloud leak raises the specific prospect of established, largely female internet personalities facing harassment or misuse of their actual personal details in their real lives,” said the researchers. Also, they warned that the exposure of popular gaming personalities “invites the danger of gruesome ‘swatting’ attacks on their homes”.

Apart from these sensitive details, the bucket also contained brand & analytical information including a list of about 600 brands that use services of Octoly as well as more than 12,000 “Deep Social” reports generated for each influencer.

These reports “provide highly detailed and specific analysis of creators’ online influence, down to the ages, interested and locations of followers as well as which brands are most appealing to them”, said the researchers.

“Such information constitutes Octoly’s bread and butter, and would be valuable corporate intelligence for any competing marketing firms,” Upguard said. “The public disclosure of the deep analytical work Octoly provides for brands certainly constitutes a damaging leak of information that could be used by competitors and unsavory online marketers.”

Octoly was notified by UpGuard about the exposed S3 bucket but the company failed to secure the data for weeks even after multiple notifications. According to the researchers, the spreadsheets that contained personally identifiable information still remained accessible online & was not secured until February 1.

Octoly has confirmed the data breach & said that currently there is no indication that the data has been exploited by threat actors.

“The greatest risk presented in this exposure is human, not financial,” said UpGuard. “The leak of the personal details of over twelve thousand internet users with a degree of fame sufficient for major brands to seek their favour could have grave consequences. With online harassment endemic, particularly for women, the exposure of their phone numbers, addresses, and full names could have tragic consequences. Recent cyberstalking incidents affecting well-known YouTube and Instagram personalities of the sort recruited by Octoly show that such dangers are hardly implausible.”