An erroneously configured Amazon (S3) Simple Storage Service bucket managed by Paris marketing firm Octoly left contact information and personal details for more than 12,000 social media influencers.
Octoly connects popular Instagram, Twitter and YouTube users with companies that provide them consumer goods and services at no charge, in hopes of getting favorable reviews or otherwise amplifying their brand image online.
Its S3 repository, which was discovered on Jan. 8 by Chris Vickery, director of cyber risk research at UpGuard, contained influencers’ real names, addresses, birthdates and other information, UpGuard said in a blog post. It also contained thousands of hashed user passwords and accompanying usernames for other online accounts held by the influencers, Upguard said.
“The potential for identity theft, password reuse attacks, and account takeovers of affected creators, launched by malicious actors, is also considerable,” the blog states. “This cloud leak raises the specific prospect of established, largely female internet personalities facing harassment or misuse of their actual personal details in their real lives.”
Vickery found the exposed S3 bucket at the subdomain “octoly.” It contained a series of critical internal files, including a backup of Octoly’s production database.
The exposed data also included a wealth of information about the companies that use Octoly’s services, which include L’Oreal and Estée Lauder, as well as thousands of analytics reports generated by a company called Deep Social. The reports contain detailed information on Octoly’s members’ online influence, activity, followers and personal tastes.
After repeated warnings from Vickery, Octoly deleted the backup, but spreadsheets containing personally identifiable information weren’t locked down until Feb. 1, according to UpGuard.
“The main thing is, I was disappointed not necessarily because there was a data exposure,” as that can happen to any company, Vickery said in an interview. “Their incident response was the main thing that was really disappointing.”
It’s not clear exactly why the S3 bucket wasn’t secure. “I would have to know a lot more about how they’re structured,” he said. “There is no reason that these high-value accounts, with that kind of information, should have been sitting out there for so long.”
That said, Octoly is a “relatively fresh company,” he added. “It doesn’t surprise me that they’d lack in some areas.”
Octoly influencers took to Twitter, expressing anger at the company. Octoly apologized but said there are “no signs” any information had been downloaded or used.
There are no signs that any information has been downloaded or has been used. We totally understand your concerns and apologize sincerely. We value our members and your security is important to us. We assure you that the necessary steps were taken to resolve this issue.
— Octoly (@octoly) February 5, 2018
Vickery expressed skepticism at Octoly’s statement.
“Based on the way they responded in getting it secured, they seemed kind of aloof,” he said. “It wouldn’t surprise me if they had no way of knowing that anyone took it.” After all, Vickery was able to download quite a few files from the bucket himself, including the backup database, he added.
Vickery offered a couple of hypotheses on what may have happened. First off, there are default security settings on S3 instances, so the information had to be exposed deliberately, he said.
This doesn’t have to be a malicious action, he noted. “Maybe someone didn’t understand the settings, or they were accepting the risk of operating in a non-secure manner to make another system work,” Vickery said. “Sometimes, developers don’t want to script in all the credentials in order to make it work.”
The key takeaway overall is that “you can’t take a company’s word for it on incident response,” Vickery said. “Trust but verify.”