Personally identifiable information of more than 99,000 customers of V Shred, a Las Vegas-based diet supplement and exercise program company, may have been left exposed online due to an unsecured database.
V Shred bills itself as a fast-growing "fitness, nutrition, and supplement brand" with tens of thousands of customers in 119 countries and 12 million unique website visitors.
However, VPNMentor researchers said they found unprotected Amazon Web Services "buckets" holding 1.3 million personal files and a total of 606 GB of data.
"By not protecting these files, V Shred was violating customer privacy and security, leaving them exposed to bullying and fraud," the researchers wrote in a blog post yesterday (July 2).
The unprotected AWS bucket discovered by the researchers on May 14 consisted primarily of three large comma-separated value files.
However, the bucket also contained profile photos, "before and after" photos of clients (some "very revealing"), and information about meal plans.11]
According to the researchers, the unsecured photos and documents contained "a variety of personally identifiable (PII) data, revealing sensitive information about the people exposed."
The researchers also found that "the documents were not secured, but were found to contain a variety of personally identifiable information.
Tom's Guide has reached out to V Shred's parent company, Sculpt Nation, for comment. We will update this article as soon as we receive a response.
The three CSV files contained the personal information of tens of thousands of people worldwide.
Each file had a different purpose: the first contained 96,000 entries in the sales lead generation list, the second contained 3,522 entries in the email address list, and the third contained the personal information of 52 contained the personal information of the trainers.
The researchers warn that the CSV file "posed a greater immediate risk" due to the fact that it "contains a vast amount of PII data for each individual listed."
According to VPNMentor, the CSV files contained information such as full name, home address, email, phone number, birthday, social security number, spouse's name, social media accounts, user name and password, gender, health status, age, and citizenship.
The report makes no mention of whether the passwords are "hashed" or protected by one-way encryption. If you have a V-Shred account, change your password now. (25]
The Social Security numbers probably belong to 52 trainers, since U.S. companies typically only collect such data from employees and contractors. But if you are one of those people, it's best to sign up for the best identity theft protection service now.
Researchers contacted V Shred and AWS in May to alert them to the breach, but it took V Shred a month to remove the files containing personal information from the AWS bucket.
The fitness company told VPNMentor that because V Shred's clients needed access to meal plans, workout instructions, and before-and-after photos, "all other files would remain publicly accessible."
ZDNet's Charlie Osborne looked at the data still accessible and confirmed that it contained "company materials, diet guides, workout plans, and user photos."
As for the impact of this breach, VPNMentor warns that "malicious hackers and cybercriminals could launch a very effective phishing campaign targeting V Shred's customers."
That is true, but only if malicious hackers have access to the exposed information. There is no indication that anyone other than VPNMentor had access to the files before they were protected.
However, many people are actually sniffing around the Internet trying to find insecure AWS buckets.
VPNMentor reports, "V Shred is a young company and appears to be run by a small team. However, it is responsible for protecting those who use its products and sign up for its services.
"By not doing so, V Shred is jeopardizing the privacy and security of those exposed and the future of the company itself."
.
Comments