Michigan Medicine Data Breach May Have Exposed Personal Details of 57,000 Patients
Published on July 25, 2024
Another day another data breach, it seems. This time around, it's French marketing firm Octoly, who misconfigured an Amazon Simple Storage Service (S3) bucket and managed to expose loads of personal details on more than 12,000 social media influencers.
What Octoly does isn't very complicated in this day and age - it works to connect people who have cultivated a following on Instagram, Twitter, or YouTube, with companies that provide them with various types of goods and services at no cost, as long as they feature those goods and services in their posts, thus aiding the brand's online image.
Chris Vickery, director of cyber risk research of UpGuard, discovered the unprotected repository a month ago. In there, he discovered the real names, addresses, birthdates, and other personal information of all these media influencers, along with hashed passwords and usernames for their online accounts.
This is massive. It means that anyone who stumbled over this S3 repository could pick up a username, work to unhash the passwords, since that's not much of a protection, and log into these people's accounts. Someone who means to harm them can do so without much trouble. They could even change the passwords and lock them out of the accounts, effectively holding the accounts for ransom.
"The potential for identity theft, password reuse attacks, and account takeovers of affected creators, launched by malicious actors, is also considerable," Vickery writes. He also goes on to point out the high risk of the female influencers becoming victims of online harassment.
The unprotected repository further contains a backup of Octoly's production database, as well as information on the companies that collaborate with them, like L'Oreal. The data also includes reports regarding the members' activity, followers, and personal tastes.
Vickery took the long road and warned the company first, advising them to secure the data. It seems Octoly eventually deleted the backup, but the spreadsheets full of personal data weren't locked until in early February, increasing the risk of someone else other than the good guys getting to them.
Unsurprisingly, the company's influencers took to Twitter to bash the company for not even warning them of the situation, even though they knew about it for the past month.