Personal details of over 12,000 popular Instagram, Twitter, and YouTube personalities were exposed after Octoly, a Paris-based brand marketing company, failed to secure a cloud repository that contained a backup of enterprise IT operations as well as their sensitive information.
Social media stars whose details were left exposed by Octoly’s poor data security practices endorsed popular global brands like Dior, Estée Lauder, Lancôme, and Blizzard Entertainment.
Sensitive details of over twelve thousand social media stars, including those who enjoyed massive following on Instagram, Twitter, and YouTube, were exposed to outside access by Octoly included real names, addresses, phone numbers, email addresses, birth dates, usernames for online accounts and hashed passwords which if decrypted, could lead to password reuse attacks.
The breach was discovered by security firm UpGuard who observed that the unsecured cloud repository also contained highly detailed data analysis, customized for thousands of specific creators and brands, which also revealed further insight into Octoly’s inner workings. According to the firm, the exposure occurred because of ‘erroneous configuration of the repository for public access’.
Octoly stored the ill-fated data on an Amazon Web Services S3 cloud storage bucket. The data included complete backups of its operational database including its brand markering operations in North America and Europe. Also present in the backups were regularly updated spreadsheets containing personally identifiable information that were not secured by Octoly until 1st February.
According to UpGuard, the social media stars whose information were stored in the unsecured cloud bucket were ‘largely young and female, spanning the globe from the firm’s home country of France to the rest of Europe and the United States’ and were specialising in ‘using and reviewing beauty products or playing and critiquing video games, typically in YouTube vlogs and Twitch streams, or via Instagram, Snapchat, and Twitter’.
‘This exposure reveals a number of significant threat vectors that could have been exploited by malicious actors. Octoly’s incident response, from the highest corporate levels, did not properly account for the significance of the exposed data. The corporation’s deletion of one backup file, while failing to secure the S3 bucket or remove any of the large amount of other damaging data still exposed, left a large amount of personally identifiable information exposed weeks after Octoly assured the UpGuard Cyber Risk Team that the breach had been closed,’ the firm noted.
‘The greatest risk presented in this exposure is human, not financial. The leak of the personal details of over twelve thousand internet users with a degree of fame sufficient for major brands to seek their favor could have grave consequences. With online harassment endemic, particularly for women, the exposure of their phone numbers, addresses, and full names could have tragic consequences,’ it added.
The firm also observed a lack of seriousness in Octoly even after it was made aware of the exposure by researchers. It said that even though Octoly was warned about the exposed cloud bucket in the first week of January, it did not secure backups containing personally identifiable information of employees as well as thousands of social media stars until 1st February.
‘The ability to swiftly and decisively secure data in the event of a cyber incident is not just necessary to avoid financial and reputational damage critical to any business’s long-term fortunes. Nor is it necessary simply to protect blameless third-party enterprises of the sort exposed in this breach that merely wanted to better attract customers.
‘Ultimately, cyber resilience is necessary to protect the basic wellbeing and security of the individuals supplying their personal information to enterprises – the disclosure of which may increasingly be a dangerous outcome,’ it said.