Octoly, a Paris-based brand marketing company, has inadvertently revealed the contact information and personal details of 12,000 social media stars.
Octoly supplies the online celebs with beauty products and merchandise from the marketing firm’s industry clients, which include household names like Dior, Estée Lauder, Lancôme and Blizzard Entertainment. UpGuard's Cyber Risk Team discovered that the company had a misconfigured cloud storage bucket that made public a raft of information about these influential "creators" – mostly Instagram, Twitter and YouTube personalities.
The information includes real names, addresses, phone numbers, email addresses – including those specified for use with PayPal – and birth dates. Also exposed were authentication tokens that could be used to take over accounts and thousands of hashed user passwords, which, if decrypted, could lead to password reuse attacks against various online accounts belonging to creators, the usernames for which are also in the repository.
The names of 600 brands that use Octoly’s services were included as well.
The Amazon Web Services S3 cloud storage database (now closed) also includes 12,000 Deep Social reports, which have been generated for each individual creator registered with Octoly. These reports provide highly detailed and specific analysis of creators’ online influence, down to the ages, interests and locations of followers, as well as which brands are most appealing to them – corporate intelligence that could be damaging if made available to competitors.
“The potential for identity theft, password reuse attacks and account takeovers of affected creators, launched by malicious actors, is considerable,” the UpGuard team said in a blog. “This cloud leak raises the specific prospect of established, largely female internet personalities facing harassment or misuse of their actual personal details in their real lives.”
It also “invites the danger of gruesome ‘swatting’ attacks on their homes,” the researchers added. Swatting is a harassment tactic where someone hoaxes an emergency services dispatcher or 911 operator to send police or an emergency service response team to another person's address.
Octoly faces potentially significant business damage as a result of this leak.
“The public disclosure of the deep analytical work Octoly provides for brands certainly constitutes a damaging leak of information that could be used by competitors and unsavory online marketers,” UpGuard said. “The publication of the brands using Octoly’s services also introduces the specter of third-party vendor risk, in which external partners can leak damaging internal information shared out of necessity…The essence of third-party vendor risk is that an external entity can, by the very nature of modern data sharing, expose other enterprises to risks they would not otherwise invite.”