Massive “V Shred” Data Breach Exposes More Than 99,000 Customers

Last updated September 17, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

Users of the “V Shred” platform have had their personal data exposed, after the fitness and nutrition company misconfigured their main Amazon Web Services S3 bucket. The discovery of the unprotected database came from N. Rotem and R. Locar, on May 14, 2020. “V Shred” was contacted four days later but failed to reply. The researchers then reached out to an AWS representative who eventually took action and disabled the leaking bucket on June 18, 2020. This makes up for a total of over a month of exposure, which is more than enough for malicious actors to locate and steal the files.

The unsecured S3 bucket contained 606 GB of data that affect over 99,000 customers. The 1.38 million files contained in the database concern PII, before/after photos, user profile details, and custom meal plans. In addition to the client details, there was also data on 52 trainers who work for V Shred. The PII entries were logged in CSV files, and consist of the following details:

V-shred-csv

Source: vpnMentor blog

The potential impact that this data’s exposure could have on the “V Shred” customers ranges from scamming and highly targeted phishing to blatant extortion. Considering that even social security numbers have been exposed, the possibility of identity theft is also substantial. If you are a V Shred customer, you should be very careful with incoming emails asking you to “update” your details or provide more info. Besides that, if anyone posts your images online, you may take legal action against them. As for V Shred, the impact on them is quite substantial, as they have failed to protect such sensitive information and then failed to respond to the warning messages sent by the researchers.

vshred_image

Source: vpnMentor blog

Apart from the loss of trust towards the “V Shred” brand, the company is also entering legal trouble due to this incident. Being a Las Vegas-based company with customers from 119 countries, their security lapse has repercussions relating to the GDPR and the CCPA, so it’s likely that they will now become the subject of investigations that will lead to huge fines. V Shred is one of those smaller companies in the right field to reap the fruits of the people's sudden interest spike towards fitness and nutrition. Thus, this incident may bring their end, highlighting the importance of ensuring data security above anything else.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: