Octoly, the Paris-based agency for online “influencers” apologized following the leak of sensitive and personally identifying information on 12,000 clients. But clients were furious they were not informed by the company first and researchers warn that those exposed could face increased risks of both online and offline harm.
The firm responsible for leaking data on 12,000 YouTube stars, Instagram A-listers and other influencers issued an apology to its outraged customers late Monday, hours after the firm UpGuard disclosed the breach.
Octoly, the Paris-based agency that connects product firms with so-called “influencers” used Twitter to express regret for the incident and reassure affected customers that none of their data “has been used or downloaded.” However, a security researcher who discovered the trove said that it is impossible to know whether the data had been accessed, and that it could leave anyone whose data was exposed vulnerable to targeted online or even physical attacks.
There are no signs that any information has been downloaded or has been used. We totally understand your concerns and apologize sincerely. We value our members and your security is important to us. We assure you that the necessary steps were taken to resolve this issue.
— Octoly (@octoly) February 5, 2018
A familiar story
As is often the case with UpGuard, the data trove was discovered in an loosely protected Amazon Web Services S3 storage container. Octoly had enabled a feature known as “Globally Authenticated Users” that allows anyone with an Amazon Web Services account (which are free) to view the contents of the storage container. That’s almost identical to the situation that exposed information on 123 million US households from the firm Alteryx in December.
In a conversation with The Security Ledger, Chris Vickery of UpGuard said that S3 users are often confused by the purpose of the Globally Authenticated Users option, even though it is well documented.
The data trove from Octoly was in an S3 bucket whose subdomain included the term “Octoly.” It contained a copy of the company’s production database (“octoly_production.sql”) and numerous spreadsheets dubbed “Creators” that listed the many online influencers Octoly courted on behalf of products firms selling entertainment and beauty products, among other things.
The data revealed a wealth of information including home addresses, birth dates, phone numbers and real names of the influencers, many of whom are young, female and use “handles” and pseudonyms online.Vickery said that posed a number of risks for those affected. The presence of physical addresses in the dump could leave the creators vulnerable to stalking, robbery or dangerous pranks like “SWATting” attacks.
[You might also like: Third Party Data Leak Exposes Info on 123m US Households]
The data trove also contained some 12,000 hashed passwords, presumably for accounts that customers had with the agency. Those 12,000 passwords were encrypted with the bcrypt password hashing algorithm, which is a robust algorithm. However, adversaries with adequate computing power might be able to unscramble the passwords, which then might leave the victims vulnerable to account takeovers and other hacks, assuming they reused the Octoly password to secure other online services, Vickery said.
Octoly slow to respond
Vickery said that the firm, which boasts offices in France, the US, Spain, Canada and the UK, was slow to respond to notification by UpGuard of the breach. Vickery said he first discovered the leaked data on January 4 and notified Octoly via email then. Over the next week, he tried contacting the firm by phone and Twitter Direct Message. However, he did not hear from Octoly until January 14, when he received an email from the company’s founder. Exposed data wasn’t fully removed from the company’s Amazon S3 bucket until February 1.
“They were slow getting it secured,” Vickery said. “I’m not sure how you can be such an influential player and not have a Grade A IT staff running things.”
In addition, it appears no effort was made to inform the firm’s customers of the breach. That prompted outrage online after the UpGuard blog post began attracting attention on Monday. “This is not ok @octoly never informed us,” wrote a customer who uses the handle Beauty Products Are My Cardio (@BPAMC). “I will be unfortunately canceling my account with them once my pending product reviews are complete. They never answered why we were not informed.”
Other Octoly users also said they had heard nothing from the company about a breach prior to the UpGuard blog post being published. The company took to re-posting a verbatim apology to customers who complained on Twitter, prompting even more rebukes.
Please stop copying and pasting that response. Most of your users don’t even know about this breach how does that make it resolved???
— katelovesmakeup1 (@kate_winford) February 5, 2018
The breach comes just months before a stern new data protection and privacy law is due to take effect in Europe, the General Data Protection Regulation. That law includes a 48 hour requirement for notifying regulators and customers about a data breach, as well as stiff fines for failing to adhere to EU data protection standards.