Thousands of social media users looking for added publicity instead ended up with the wrong kind of exposure. Marketing agency called Octoly accidentally leaked their personal details—including real names, addresses and phone numbers—all thanks to a misconfigured server.
The Amazon Web Services S3 storage bucket was set for public access, according to security firm UpGuard, which detailed the incident in a Monday blog post. On the exposed server was data on 12,000 of the agency’s clients, so-called social media “influencers” who use Instagram, Twitter, and YouTube to promote themselves.
Octoly, based in France, helps clients receive free products from popular brands so they can post reviews on their social media accounts. On Monday, Octoly confirmed the breach, but said there was no indication bad actors ever came across the data. The server is now secure.
“An internal restructuring unfortunately exposed us to a data security issue. We want to assure our community that the necessary steps were taken to resolve it,” a company spokeswoman said in an email.
UpGuard spotted the problem in early January, but the security firm said Octoly didn’t fully secure the server until Feb. 1, despite several notifications.
“The top influencer in that find has over 6 million followers,” tweeted UpGuard director Chris Vickery. In addition, the leaked data contained email addresses, and what appeared to be hashed password information for user accounts with the marketing agency.
If the passwords are unscrambled, then a bad actor could not only break into someone’s Octoly account, but also any other online accounts registered with the same password, UpGuard warned.
“How many of those internet celebs do you think re-use passwords? I’m thinking a decent percent probably do,” Vickery added in his tweet.
The news is a good reminder to create unique, hard-to-guess passwords for your most important accounts, and to also secure your cloud storage. UpGuard has been uncovering case after case involving businesses and government agencies failing to keep their AWS online storage off the public internet. Simply changing the permissions settings can often fix the problem.