The marketing agency Octoly has erroneously exposed a lot of personal data belonging to their customers. The leak happened due to a misconfiguration in the Amazon S3 Simple Storage Service bucket which hosts the clients data. The security reports indicate that in result of the Octoly incident private data for more than 12 000 social media influencers was revealed to the public.
Details On the Octoly Amazon Leak
A serious security incident has been reported in the security community. The Octoly marketing agency that works with social media influencers and consumer companies has leaked personal data by accident. The reason was a misconfiguration in the Amazon S3 Simple Storage Service which is a cloud hosting service that allows consumers and business to store information and host applications on their servers.
The repository operated by the company was found on January 8th by a security researcher during an audit of the cloud platforms. The marketing service clients are social media users mainly on platforms like Instagram, Twitter and YouTube that are supplied with review products from beauty and gaming companies, as well as merchandise. Some of the industrial partners that the company serves include the likes of Dior, Estée Lauder, Lancôme and Blizzard Entertainment.
The researcher was able to access the repository managed by the company via a public web instance available on Amazon’s platform. The expert acquired a full backup copy of Octoly’s operational database in a SQL format. Its analysis reveals how the company operates the digital marketing services across Europe and North America. Following the security guidelines the researcher notified Octoly of the exposure and by January 12th the backup was deleted. However a large amount of regularly updated spreadsheets were still being uploaded and accessed until their complete removal by February 1st.
Octoly’s Amazon Leaked Data Contents
The exposed data made available by Octoly was analyzed by the experts during the investigation. The database and spreadsheets are separated into three categories:
- Users — This field refers to data related to the employees at Octoly.
- Clients — This field contains information about the enterprise clients that pay the company to promote their services.
- Creators — This set contains information acquired by the social media users.
The company connects the three type of users by supplying the content creators with review products that are made by the businesses for promotion purposes. The social media users are largely young users from all parts of Europe and North America. They receive the products and create various content posted on channels like YouTube, Twitch, Twitter, Instagram, SnapChat and personal blogs. Example personal information includes data that can directly expose the victim’s identity including: full names, home addresses, birth dates and phone numbers which are linked to all social media accounts available online. This presents a very serious privacy risk as many of them are known only by their pseudonyms.
As a result the harvested email accounts can be used to brute force online services like PayPal, email and banking accounts. The experts note that the hashed set of passwords retrieved from the site can be used during the attacks.
The harvested documents and strings contain hyperlinks that showcase data related to marketing intelligence and site analytics. It is used by the company’s team to match the profiles of the content creators to the business promotional items. The security researchers were able to access reports that are specifically made for each individual use. They contain data such as the potential target age of their viewers, location of audience, interests and potential brand name interests.
Significance of Octoly’s Amazon Leaked Data
The consequences of the leaked data can present several worrying case scenarios. They present real possibilities for criminal users to abuse the obtained information. Computer malware users usually set up tracking software that can immediately notify them of a data leak. Once the data has been acquired it can be sold on the hacker underground markets for profit.
The hacker operators can abuse the personal details and attempt to blackmail or harrass the content creators. They can setup counterfeit profiles that can be used to their advantage and send out messages that pose as them in social engineering campaigns. There is a very large probability that the information can also be used in identity theft and financial abuse crimes.
The fact that the leak included hashed passwords it is possible to decrypt them using powerful hardware and significant time investment.