Octoly Leaks Personal Data of 12,000 Social Media Influencers

We all share information when we sign up for virtual services, and we all expect that this information is kept safe. Unfortunately, that is not always the case, and 12,000 social media influencers have learned it the hard way. A Paris-based marketing company, Octoly, that works with these influencers accidentally leaked highly personal data, which included full names, phone numbers, personal email addresses, birth dates, and even home addresses. While no one wants this kind of information leaked, people who have millions of YouTube subscribers and Instagram followers dread this. In extreme cases, personal information can be used by fans to track down their favorite online stars, and that, of course, could lead to great discomfort and, possibly, even dangerous situations. The UpGuard Cyber Risk Team – who have discovered the leak – has also found that hashed passwords were leaked as well. That could cause huge problems as well. Unfortunately, no one can guarantee that this is the last time something like this happens ever again.

Dan O’Sullivan of UpGuard has recently reported the data leak, and the researcher informed that it occurred due to an “erroneous configuration of the repository for public access.” The files that stored personal information were left in a vulnerable Amazon Web Services (AWS) S3 cloud storage bucket, and although the company informed Octoly about it right away, the necessary security measures were not taken until February 1st, which was almost a month after the discovery. On January 12th, the company deleted the backup file named “octoly_production.sql,” but it took another few weeks to secure the files containing personal information of 12,000 clients. Octoly is a marketing company that works directly with social media influencers to help them accelerate their careers. How does that work? Octoly works with hundreds of different companies who are willing to pay media influencers to promote their products. Among these companies are Dior, Estée Lauder, Lancôme, Blizzard Entertainment, L’Oreal, Pierre Fabre, and Birchbox. While no sensitive information of these companies was leaked, this will definitely hurt the reputation and the future ventures of the marketing company overall.

Since Octoly mediates between companies who want to have their products promoted and individual media influencers who are sent the products of these companies, it is not surprising that it records home addresses, phone numbers, and other contact details. Unfortunately, having this kind of information leaked is a huge problem, as it is hard to say who could have saved the leaked data when it was exposed. While having sensitive contact information can pose many different problems, the victims of this data breach need to be cautious about the leaked passwords as well. It is believed that these passwords were used by influencers to connect to their Octoly accounts. Unfortunately, many of us reuse passwords, and this could be true for influencers as well. If the Octoly passwords coincide with the passwords that the victims use to connect to their social media accounts, someone could figure out a way to hack them and use it in various malicious ways. Considering that social media accounts are the core of the livelihood for most of the affected influencers, this can be very detrimental.

The researchers at UpGuard expressed their worries that the influencers represented by Octoly – who are mostly young females – could be harassed using the information that was leaked. For example, if full names reveal persons who conceal themselves behind aliases, hidden information could be revealed due to that. Hopefully, this massive data leak does not affect more vulnerable influencers in any way, and the companies who are in possession of sensitive information take better security measures to keep it protected at all times. Unfortunately, even highly reputable companies, such as Equifax, Apple , and Imgur, are not immune to security breaches and data leaks. Although companies are the ones responsible for keeping private information private, users have to do their part as well. It is important to share information only with reliable and reputable companies, and keeping the information that is shared to a minimum is important as well. As proven by the data leak of Octoly’s customers, setting up unique passwords for all accounts can protect against bigger problems too.

References:

Mascarenhas, H. February 6, 2018. Octoly data leak: Personal details of 12,000 social media influencers exposed in cloud storage error. IBT.
O’Sullivan, D. February 5, 2018. Bad Influence: How A Marketing Startup Exposed Thousands of Social Media Stars. UpGuard.