[BreachExchange] Fitness firm V Shred exposes 606 GB worth of sensitive customer data

Tue Jul 7 09:44:13 EDT 2020

https://www.hackread.com/fitness-firm-v-shred-leaks-606-gb-customer-data/

Another day, another data breach. This time, V Shred, a fitness,
nutrition, and supplement brand has exposed personal and sensitive
data of almost 100,000 customers and trainers.

The breach took place because of a misconfigured Amazon Web Service
(AWS) S3 bucket that exposed 606 GB worth of data without any password
or security authentication to public access. The trove of  exposed
data included:

Age
Gender
Full names
Date of birth
Spouse names
Email address
Phone numbers
Home addresses
Health conditions
Citizenship status
Social security number
Social media accounts
Username and password

It doesn’t end here. According to vpnMentor, the company that
identified the database and shared their report with Hackread.com,
users’ Personally identifiable information (PII), profile photos
including “very revealing ‘before and after’ body photos” of customers
in the United States were also exposed to public access.

Although it is unclear if the data was accessed by third-party with
malicious intent, if it did, the damage has already been done. For
instance, V Shred users are now exposed to online as well as physical
scams including phishing, identity theft, and blackmailing.

V Shred could potentially lose a lot of customers and followers due to
this data breach. People may be reluctant to trust a company that
doesn’t sufficiently protect their most private and sensitive data,
said vpnMentor’s researchers in a blog post.

The researchers warned that the exposed data can also be used by V
Shred’s competitors for negative marketing. Therefore, if you are a V
Shred’s customer it is time to get in touch with the company and
inquire about the data breach.

Furthermore, change the password of your email address along with
social media accounts. Keep an eye on suspicious emails as
cybercriminals can now target you with phishing or malware attacks.

For database administrators, it is advised to scan for
misconfiguration regularly and implement proper security
authentication on their databases. Usually, small businesses would
assume that no attacker would be on their throats seeing the low theft
potential they present and how they being hacked would be akin to
catching a needle in a haystack.