The personally identifiable information of more than 99,000 customers of Las Vegas-based diet-supplement and exercise-program company V Shred may have been left exposed online due to an insecure database.
V Shred describes itself as a fast-growing "fitness, nutrition and supplement brand" with tens of thousands of customers in 119 countries and 12 million unique website visitors.
- The best antivirus software to keep you and your devices safe
- VPN: add an extra layer of security with a virtual private network
- Just In: BMW, Mercedes and Hyundai owners hit by massive data breach
But researchers at VPNMentor said (opens in new tab) they had found an unsecured Amazon Web Services "bucket" that held 1.3 million personal files and 606GB of data in total.
“By not protecting these files, V Shred compromised the privacy and security of its customers and left them exposed to bullying, fraud, and more,” wrote the researchers in a blog post yesterday (July 2).
The unprotected AWS bucket, found by the researchers May 14, consisted mainly of three large comma-separated-values files, which are simple databases that can be easily opened by Microsoft Excel or other spreadsheet programs.
But the bucket also contained profile photos, "before and after body photos" of customers -- some "very revealing" -- and information about meal plans.
According to the researchers, the unsecured photos and documents “contained various pieces of personally identifiable information (PII) data that revealed sensitive information about the people exposed.”
Tom's Guide has reached out to V Shred's parent company, Sculpt Nation, for comment. We will update this story when we receive a reply.
Putting thousands at risk
The three CSV files contained the personal information from tens of thousands of individuals from across the world.
Each file had a different purpose. One contained 96,000 entries from a sales-lead-generation list; the second contained 3,522 entries from an email-address list; and the third contained the personal information of 52 trainers who worked for or with the company.
The researchers warned that the “CSV files presented a much greater immediate risk” due to the fact that they “contained huge amounts of PII data for each individual listed".
VPNMentor said the CSV files included information like full names, home addresses, emails, phone numbers, birthdays, Social Security numbers, spouse names, social media accounts, username and passwords, gender, health conditions, age, citizenship and more.
The report didn't say whether the passwords were "hashed," or protected by one-way encryption, in any way. Because of that lack of information, it's probably best to assume the worst, so if you have a V Shred account, change its password now. (And use one of the best password managers to create and handle it.)
The Social Security numbers presumably belonged to the 52 trainers, as U.S. companies normally collect such data only from employees or contractors. But if you're one of those people, best to sign up with one of the best identity-theft-protection services now.
Lack of action
The researchers contacted V Shred and AWS to alert them of the breach in May, but V Shred took a month to remove the files containing personal information from the AWS bucket.
The fitness firm told VPNMentor that it "would be leaving all other files publicly accessible" because V Shred customers needed to be able to access their meal plans, workout instructions and before-and-after photos.
Charlie Osborne at ZDNet (opens in new tab) had a look at the data that was still accessible and confirmed that it included "company materials ... diet guides, workout plans, and user photos."
In terms of the impact of this breach, VPNMentor warned that “malicious hackers and cybercriminals could create very effective phishing campaigns targeting V Shred customers”.
That's true, but only if malicious hackers were to get access to the exposed information. There's no indication that anyone other than VPNMentor did before the files were secured, which is why we're not calling this a data breach.
However, plenty of people are indeed snooping around the internet trying to find unsecured AWS buckets.
VPNMentor's report added: “V Shred is a young company and appears to be run by a small team. However, it’s still responsible for protecting the people using its products and signing up for its services.
“By not doing so, V Shred has jeopardized the privacy and security of the people exposed, and the future of the company itself.”
- More: Protect your employees and clients with the best business VPN