Security research firm vpnMentor reported that fitness brand V Shred suffered a data breach that exposed the personally identifiable information (PII) of 99,000 of its customers and trainers. The exposed information included V Shred users’ names, home addresses, social security numbers, email addresses, dates of birth, social media accounts details, age, usernames, passwords, sensitive photos of V Shred customers, gender, and citizenship status.
According to vpnMentor’s report, an unsecured AWS S3 bucket exposed V Shred’s database, which contained 1.3 million files, containing 606GB data. The exposed database contained three types of .CSV files: the CSV file #1 has 96,000+ entries of lead generation list; CSV file #2 has V Shred client email list, with 3,522 entries; and CSV file #3 has a list of 52 trainers working for V Shred, including their email addresses. The unsecured database is now secured after vpnMentor reported the issue to V Shred.
“The data was stored on a misconfigured Amazon Web Services (AWS) S3 bucket, which was completely open to public access. The URL of the bucket contained V Shred, and many of the files contained the company’s logo and other identifiers,” the report said.
How to Secure an AWS S3 Bucket
vpnMentor also recommended certain instructions to AWS users to secure S3 buckets, these include:
- Make the bucket private and add authentication protocols
- Follow AWS access and authentication best practices
- Add more layers of protection to their S3 bucket to further restrict who can access it from every point of entry
“It is important to note that open, publicly viewable S3 buckets are not a flaw of AWS. They are usually the result of an error by the owner of the bucket,” the report added.
Data Breaches on Fitness Firms
In a similar data breach, security researchers discovered an open database, which belongs to fitness tech company Kinomap, exposing 42 million records (40GB data) of its users for at least a month. The database includes PII of users from across 80 countries, including North America, Australia, Japan, the U.K., Belgium, Finland, and Hungary. The exposed PII included full names, home country, email addresses, usernames, Kinomap account details, gender, timestamps for exercises and the date they joined Kinomap. vpnMentor stated that it notified the French firm on March 28, 2020, immediately after the discovery. The database was fixed on April 12, 2020, after the French data protection regulator had been informed.