Security researchers have discovered that sensitive personal data of over 12,000 social media influencers from YouTube, Instagram, Twitter and Twitch has inadvertently been exposed in an unsecured Amazon server. UpGuard researchers said the data was leaked by Octoly, a Paris-based marketing agency that supplies social media stars with merchandise and products from top brands seeking reviews and endorsements.
Some of their industry clients include beauty brands such as Dior, Sephora, L'Oreal, Estée Lauder and Lancôme as well as gaming giants Ubisoft and Blizzard Entertainment.
Discovered in early January by UpGuard's director of cyber risk research Chris Vickery, the files were left in a misconfigured, publicly accessible Amazon Web Services (AWS) S3 cloud storage bucket.
The database included the real names, addresses, phone, numbers, email addresses - including those specified for use with PayPal, and dates of birth for these social media influencers - many of whom often choose to remain anonymous online.
Thousands of usernames and hashed user passwords were also leaked which could potentially be decrypted by nefarious actors and used to break into their accounts. The social media influencers included in this database, mostly young and female, span across the globe from France to the rest of Europe and the US, Upguard said in a blog post published Monday (5 February).
"This cloud leak raises the specific prospect of established, largely female internet personalities facing harassment or misuse of their actual personal details in their real lives," the researchers wrote. They also warned that the exposure of popular gaming personalities "invites the danger of gruesome 'swatting' attacks on their homes".
Besides these personal details, the bucket also contained a significant amount of brand and analytical information including a list of 600 brands that use Octoly's services and over 12,000 "Deep Social" reports generated for each influencer.
These reports "provide highly detailed and specific analysis of creators' online influence, down to the ages, interested and locations of followers as well as which brands are most appealing to them", the researchers said.
"Such information constitutes Octoly's bread and butter, and would be valuable corporate intelligence for any competing marketing firms," Upguard said. "The public disclosure of the deep analytical work Octoly provides for brands certainly constitutes a damaging leak of information that could be used by competitors and unsavory online marketers."
Upguard said it notified Octoly about the exposed S3 bucket but the company did not secure the data for weeks until 12 January after "multiple notifications". However, the spreadsheets that contained personally identifiable information still remained accessible online and was not secured until 1 February, the researchers said.
Octoly confirmed the breach and said there is currently no indication that the data has been exploited by malicious actors.
"An internal restructuring unfortunately exposed us to a data security issue. We want to assure our community that the necessary steps were taken to resolve it," a company spokeswoman told PCMag.
IBTimes UK has reached out to Octoly for further comment.
"The greatest risk presented in this exposure is human, not financial," UpGuard wrote. "The leak of the personal details of over twelve thousand internet users with a degree of fame sufficient for major brands to seek their favour could have grave consequences."