A misconfigured cloud storage bucket has exposed the personal details of hundreds of social media influencers, potentially putting them at risk of fraud and harassment, according to researchers.
A team at vpnMentor discovered the AWS S3 bucket wide open with no encryption or password protection, back in early November. Action has apparently yet to be taken by the company responsible, Barcelona-based “social commerce” company 21 Buttons.
For a commission, influencers upload their photos to the firm’s app and link to the e-commerce stores where users can buy the clothes they’re wearing.
According to vpnMentor, the firm has around two million monthly active users and partnerships with many of the biggest brands in Europe.
Of the 50 million files exposed in the snafu, which were mainly influencer photos and videos, the research team discovered hundreds of invoices said to relate to payments made to these social media stars.
Among the personally identifiable information (PII) exposed were full names, postal codes, bank details, national ID numbers, PayPal email address and value of sales commissions.
Those caught in the data leak included Carlota Weber Mazuecos, Freddy Cousin Brown, Marion Caravano, Irsa Saleem and Danielle Metz – influencers that between them have millions of followers on the site.
The vpnMentor team warned that if cyber-criminals get hold of the PII, the victims could be exposed to follow-on phishing scams designed to obtain more bank and card details, identity fraud and stalking.
“If somebody shared the invoices publicly, bad actors would have plenty of material to identify any private accounts held by influencers, as well as their homes and workplaces,” it claimed.
“This doesn’t just make the people affected vulnerable to phishing and fraud. They’re also at risk from an invasion of privacy, doxing, stalking and harassment – both online and offline.”