Nearly 100,000 customers have had their sensitive personal data and revealing photos exposed online after a US-based fitness company misconfigured an Amazon database.
Las Vegas-headquartered V Shred left the S3 bucket containing over 1.3 million individual files publicly accessible, according to vpnMentor.
The research team discovered the leak on May 14 but it took a whole month for the company to disable access to the offending files. Initially, V Shred apparently claimed it was necessary for user files to be publicly available and denied that any PII data had been exposed. Once informed, it removed the PII but said it was leaving the other files publicly accessible, according to vpnMentor.
The 606GB trove contained three CSV files with PII on over 96,000 users, featuring full names, home and email addresses, phone numbers, birth dates, social security numbers, social media accounts, usernames and passwords, health conditions and more.
The database also contained meal plans, profile photos and “before and after” body photos for some customers, as well as details on 52 trainers, according to the report.
“Using the PII data exposed through the S3 bucket, malicious hackers and cyber-criminals could create very effective phishing campaigns targeting V Shred customers,” vpnMentor claimed.
“If the CSV files contained the social security numbers of any individuals, this would be a goldmine for cyber-criminals. They could utilize such information for a wide range of fraud and wholesale identity theft.”
Users could also be blackmailed with threats to release their before and after photos, it added.
The firm discovered V Shred’s misconfigured S3 bucket as part of a broader web mapping project which has already revealed multiple leaks, exposing hundreds of millions of sensitive records.
These include fitness tech firm Kinomap which accidentally leaked 42 million records, sports retailer Decathlon, which leaked 123 million, and a British printing company which may have exposed military secrets.