More than 12,000 prominent social media influencers from YouTube, Instagram, Twitter, and the gaming platform Twitch were exposed last month by a data breach at a marketing firm that pairs online stars with top brands seeking product reviews and endorsements, according to researchers at the security firm UpGuard.
Many of the online stars have massive followings and are known for offering beauty tips, primarily on Instagram, or video game reviews and commentary on YouTube. Few of them use their real names online. Like any other kind of celebrity, many social media stars have a heightened need for privacy, chiefly when it comes to the ever-present threat of online harassment.
The breach, which was tied last month to the influencer marketing firm Octoly, exposed not only the stars’ true identities, but their street addresses, apartment numbers, phone numbers, email addresses, and more. The users are predominantly young women, the researchers said.
The database exposed further contained a massive list of the brands that partner with these influencers, including top gaming companies such as Blizzard and Ubisoft, and beauty brands like Sephora, L’Oreal, and Sisley.
UpGuard’s researchers discovered the database in early January and were able to quickly link it to Octoly, a French company with a virtual office in Manhattan. Octoly’s Amazon server was publicly accessible, meaning virtually anyone could view its contents without a password. Securing the data proved challenging, however. Compared to most companies whose sensitive data has been unearthed in this way, Octoly was strikingly slow to respond.
UpGuard first notified the company by email on January 4th. The following day, a direct message was sent to the company on Twitter. UpGuard called Octoly’s corporate office twice over the course of a week without receiving a response. The data, meanwhile, remained accessible to anyone with the know-how to locate it—namely, hackers trolling the internet for random unsecured Amazon servers.
“This exposure reveals highly sensitive personal information about over twelve thousand individual men and women who, by merit of their prominence on the internet, are particularly vulnerable to the possibilities of harassment, abuse, and even the violence of ‘swatting,’” said UpGuard co-founder and co-CEO Mike Baukes.
“Octoly’s inability to secure this data for weeks after being notified by UpGuard, despite repeated follow-up communication and instruction on how to do so, is an unfortunate illustration of how not to respond to news of a data exposure,” Baukes continued. “Executives whose enterprises have suffered a data exposure must not merely move quickly to remediate such issues, but become knowledgeable on the realities of cyber risk in case the worst should occur.”
Octoly’s co-founder, Fabien Guiraud, finally reached out to UpGuard on January 14th. While many of the corporate records disappeared shortly thereafter, the client database containing a wealth of personally identifiable information remained accessible online. Persistent, UpGuard continued to reach out. More than a week later, Guiraud told the researchers the database was secured. It wasn’t.
Guiraud notified Gizmodo that the database was secured on February 1st. “We’re well aware about the privacy of our customers and as soon as we discover the vulnerability, we closed it as soon as possible,” he said.
“The greatest risk presented in this exposure is human, not financial,” UpGuard wrote in blog post Monday morning. “The leak of the personal details of over twelve thousand internet users with a degree of fame sufficient for major brands to seek their favour could have grave consequences. With online harassment endemic, particularly for women, the exposure of their phone numbers, addresses, and full names could have tragic consequences. Recent cyberstalking incidents affecting well-known YouTube and Instagram personalities of the sort recruited by Octoly show that such dangers are hardly implausible.”
UpGuard asked Gizmodo to withhold the names of those affected to protect their privacy.
Locating unprotected Amazon cloud servers has become a hobby of data breach hunters over the past two years. Last year, UpGuard located exposed databases containing records related to classified US government programs, as well as the largest known breach of US voter records.