Personal data of roughly 70,000 users of a popular online resource for paleo diet has been found exposed on Amazon AWS.
vpnMentor researchers revealed that a misconfigured Amazon’s AWS S3 bucket storing the private data and records of users allowed this data to be accessed by anyone.
The Los Angeles-based Paleohacks is a website for recipes, meal plans, downloadable guides, and articles on the paleolithic diet, but also a forum and an e-commerce store.
The vpnMentor team, led by Noam Rotem, said the website operators failed to implement “basic data security protocols” on their S3 bucket.
“Our team was able to access Paleohacks’ S3 bucket because it was completely unsecured and unencrypted,” the company says. “If you’re a customer of Paleohacks and are concerned about how this breach might impact you, contact the company directly to determine what steps it’s taking to protect your data.”
The resulting misconfiguration allowed an unauthorized user to access the hosted information.
The AWS bucket contained some 6,000 files with records about some 69,000 proponents of the paleo lifestyle. The data spanned 2015 thru 2020 and included such personally identifiable information like full names, email addresses, login timestamps, locations, IP addresses, dates of birth, profile pictures, and bios.
vpnMentor said passwords were hashed via the BCRYPT hashing algorithm. But some entries contained password reset tokens related to subscription and membership services. Tokens were protected with BCRYPT, too, but bad actos could still abuse the tokens to hijack user accounts, according to the VPN company.
VpnMentor says they discovered the unsecured bucket on February 4 and repeatedly contacted the vendor; however, to no avail. They then alerted Amazon. It is not known if anybody accessed the faulty AWS bucket.