[BreachExchange] Paleohacks data leak exposes customer records, password reset tokens

Destry Winant destry at riskbasedsecurity.com
Fri Apr 30 10:38:15 EDT 2021


https://www.zdnet.com/article/paleohacks-data-leak-exposes-customer-records-password-reset-tokens/

A popular online resource for paleo recipes and tips was the source of a
data leak impacting roughly 70,000 users.

Los Angeles-based Paleohacks runs a website containing recipes, meal plans,
and articles on the paleolithic lifestyle, including downloadable guides, a
forum, and an e-commerce store.

The team, led by Noam Rotem, said that there was a failure to implement
"basic data security protocols" on the S3 bucket, and such misconfiguration
means that there were no access limits to the public.

The bucket contained roughly 6,000 files containing the records of
approximately 69,000 users. According to the researchers, the content
spanned from 2015 and 2020 and included personally identifiable information
(PII) including full names, email addresses, IP addresses, login
timestamps, locations, dates of birth, bios, and profile pictures.

While passwords were hashed, vpnMentor said that some entries also
contained password reset tokens for subscription and membership services.
These tokens were protected via the BCRYPT hashing algorithm but it could
still be possible to abuse the tokens to hijack user accounts.

The unsecured bucket was discovered on February 4. VpnMentor attempted to
contact the vendor on February 7, 9, and March 17; however, there was no
response. As a result, the team reached out to Amazon as a last resort.

It is not known if any unauthorized individuals have accessed the bucket.

"Our team was able to access Paleohacks' S3 bucket because it was
completely unsecured and unencrypted," the company says. "If you're a
customer of Paleohacks and are concerned about how this breach might impact
you, contact the company directly to determine what steps it's taking to
protect your data."

Paleohacks has not responded to requests for comment at the time of
publication.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210430/a7f4be9e/attachment.html>


More information about the BreachExchange mailing list