Click to Skip Ad
Closing in...

If you use this popular recipe site, your private data might’ve been stolen

Published May 2nd, 2021 10:34AM EDT
Data leak
Image: Anthony Brown/Adobe

If you buy through a BGR link, we may earn an affiliate commission, helping support our expert product labs.

Paleohacks, a Los Angeles-based website that serves as a repository of items like recipes and meal plans along with running an e-commerce store, reportedly exposed the data of some 70,000 users to potential fraud and hacking, thanks to a data leak reported by researchers at vpnMentor.

According to vpnMentor’s analysis, this incident originated from “a cloud storage account Paleohacks was using to store the private data and personal details of over 70,000 customers and users. The company had failed to implement basic data security protocols. As a result, anyone whose data had been collected by Paleohacks was at risk of fraud, identity theft, hacking, and much more.”

The details of what vpnMentor says it discovered: Paleohacks was apparently using an Amazon Web Services S3 bucket to house customer data. Hundreds of thousands of businesses around the world use those, but one important thing to know about them is that AWS requires clients to set up data privacy protocols manually when creating the S3 bucket account. “Paleohacks,” according to vpnMentor, “failed to install any privacy protocols on its S3 bucket — leaving the entire contents exposed to anyone with the most basic hacking skills.”

This bucket housed some 6,000 files containing data on nearly 70,000 users. Those files spanned the years 2015 to 2020 and included user data such as email addresses, IP addresses, birth dates, bios, and more. Here’s more from the researchers explaining why Paleohacks leaving the customer data in the state they did is such an issue:

“By combining a customer’s PIII data with records of their purchases and orders on the Paleohacks website, a criminal enterprise could create highly effective phishing emails posing as the company and trick customers into providing additional data and credit card details. They could also be enticed into clicking a link embedded with malware, spyware, or another form of malicious software.” What’s more, this issue could allow hackers to break into the account of a user via password reset tokens.

The vpnMentor researchers said they identified this problem in the process of conduction “a huge web mapping project.” According to their explanation, their researchers were deploying large-scale web scanners in the hunt for unsecured data repositories, and when they came across such data sets they then examine them for any data being leaked. Bottom line: “Our team was able to access Paleohacks’ S3 bucket because it was completely unsecured and unencrypted.”

Paleohacks as of yet hasn’t responded publicly about the issue. Customers are encouraged to contact the company to ask how it’s protecting their data.

Andy Meek Trending News Editor

Andy Meek is a reporter based in Memphis who has covered media, entertainment, and culture for over 20 years. His work has appeared in outlets including The Guardian, Forbes, and The Financial Times, and he’s written for BGR since 2015. Andy's coverage includes technology and entertainment, and he has a particular interest in all things streaming.

Over the years, he’s interviewed legendary figures in entertainment and tech that range from Stan Lee to John McAfee, Peter Thiel, and Reed Hastings.