Paleohacks, a Los Angeles-based website that serves as a repository of items like recipes and meal plans along with running an e-commerce store, reportedly exposed the data of some 70,000 users to potential fraud and hacking, thanks to a data leak reported by researchers at vpnMentor.
According to vpnMentor’s analysis, this incident originated from “a cloud storage account Paleohacks was using to store the private data and personal details of over 70,000 customers and users. The company had failed to implement basic data security protocols. As a result, anyone whose data had been collected by Paleohacks was at risk of fraud, identity theft, hacking, and much more.”
The details of what vpnMentor says it discovered: Paleohacks was apparently using an Amazon Web Services S3 bucket to house customer data. Hundreds of thousands of businesses around the world use those, but one important thing to know about them is that AWS requires clients to set up data privacy protocols manually when creating the S3 bucket account. “Paleohacks,” according to vpnMentor, “failed to install any privacy protocols on its S3 bucket — leaving the entire contents exposed to anyone with the most basic hacking skills.”
This bucket housed some 6,000 files containing data on nearly 70,000 users. Those files spanned the years 2015 to 2020 and included user data such as email addresses, IP addresses, birth dates, bios, and more. Here’s more from the researchers explaining why Paleohacks leaving the customer data in the state they did is such an issue:
“By combining a customer’s PIII data with records of their purchases and orders on the Paleohacks website, a criminal enterprise could create highly effective phishing emails posing as the company and trick customers into providing additional data and credit card details. They could also be enticed into clicking a link embedded with malware, spyware, or another form of malicious software.” What’s more, this issue could allow hackers to break into the account of a user via password reset tokens.
The vpnMentor researchers said they identified this problem in the process of conduction “a huge web mapping project.” According to their explanation, their researchers were deploying large-scale web scanners in the hunt for unsecured data repositories, and when they came across such data sets they then examine them for any data being leaked. Bottom line: “Our team was able to access Paleohacks’ S3 bucket because it was completely unsecured and unencrypted.”
Paleohacks as of yet hasn’t responded publicly about the issue. Customers are encouraged to contact the company to ask how it’s protecting their data.