Upguard researcher Chris Vickery announced the discovery of an unsecured Amazon Web Services S3 cloud storage “bucket” from Parisian brand marketing company Octoly. The bucket left Octoly’s enterprise IT operations and the personal data of 12,000 social media influencers—Instagram, Twitter and Youtube content contributors—completely exposed.
The data leak exposed the inner working of Octoly’s digital brand marketing operations in North America and Europe, client info including information on L’Oreal and Blizzard Entertainment, and specially commissioned analytics information that could prove damaging to their business operations. Most disturbingly, the data included the real names, addresses, phone numbers, birthdates, emails (including emails used for transaction sites like PayPal), and hashed user credentials of Octoly’ social media influencers. These individuals, mostly young women, receive free beauty products, merchandise, and gaming content to review and promote on their personal accounts, providing free exposure and organic marketing to younger audiences.
According to an Upguard blog post by Vickery, the bucket was exposed due to an “erroneous configuration of the repository for public access,” and was discovered on January 4. Vickery sent repeated warnings to Octoly about the exposed data, who eventually did delete some of the information from the bucket. However, they left the spreadsheets with their social media influencers’ personal data unsecured until February 1.
According to the Vickery’s post, “Octoly’s incident response, from the highest corporate levels, did not properly account for the significance of the exposed data. The corporation’s deletion of one backup file, while failing to secure the S3 bucket or remove any of the large amount of other damaging data still exposed, left a large amount of personally identifiable information exposed weeks after Octoly assured the UpGuard Cyber Risk Team that the breach had been closed.”
Vickery added separately that the social media credentials were hashed but could easily be cracked by dedicated hackers with enough time, which leaves thousands of people vulnerable to identity theft and password reuse attacks.
Octoly’s social media influencers have publicly expressed frustration at Octoly’s slow and insufficient incident response, which left them in the dark about the possible exposure until recently. On Twitter, Octoly apologized and stated that there were “no signs” that any personal information had been downloaded or used maliciously.
Vickery has expressed doubt on this claim, as he believes it is more likely the Octoly has no idea if anyone accessed it. His blog point notes that the social media personalities may face harassment both online and in real life with their personal information exposed. Many of them, particular female users, prefer to stay anonymous or operate under their first name only in online interactions to avoid such harassment.
The entire incident speaks to the PR nightmare a data leak can bring, particular one with an ineffective incident response plan. It also highlights the issues surrounding the collection of personal information and credentials, and the distrust consumers experience sharing their personal data and passwords with corporations.