Paleo Lifestyle Site Found Leaking PII on 70,000 Users
A misconfigured AWS S3 bucket is leaking personal information on 70,000 customers of a popular paleolithic lifestyle site, security researchers at vpnMentor have revealed.
The research team, led by Noam Rotem, discovered the 290MB trove on February 4, and traced it back to Paleohacks, a US health and lifestyle brand that offers content and resources about the paleo diet.
“At the time of writing, the company has ignored every attempt we’ve made to help them close the vulnerability and told us they’re ‘not interested’,” vpnMentor claimed in a blog post yesterday.
The leaky database apparently exposed the personally identifiable information (PII) of around 70,000 users of the site worldwide, dating back to 2015.
The exposed PII includes full names, usernames, dates of birth, email and IP addresses, hashed passwords, employer details, location and more.
Also exposed were password reset tokens for some subscription account holders.
“While the passwords were protected by the bcrypt hashing algorithm (a sophisticated form of password encryption), a hacker could easily use the tokens to reset a person’s password, gain access, and lock the original user out of their account,” vpnMentor argued.
“Doing so would allow the hackers to take control of thousands of Paleohacks accounts and any additional data stored therein.”
Affected users could also be targeted by follow-on phishing attacks and other identity fraud schemes, if attackers got hold of their data, the researchers warned.
Paleohacks may also invite the scrutiny of Californian privacy regulators and even the GDPR, if EU citizens have had their data exposed, vpnMentor argued.
The S3 bucket was discovered as part of a large web scanning project in which the research team scans for exposed cloud databases. It found the offending bucket unsecured and unencrypted.