social media

Names and Addresses of Social Media Influencers Leaked

Octoly

More than 12,000 social media influences from YouTube, Instagram, Twitter and even the gaming platform Twitch were exposed last month due to a data breach.  This happened at a marketing firm that pairs online stars with top brands seeking product reviews and endorsements.  Many of these online stars have incredibly huge followings and are known for offering beauty tips – primarily on Instagram.  Few influencers use their own real names online.  And, like any other kind of celebrity, many social media stars have a heightened need for privacy, chiefly when it comes to the threat of online harassment.  The big question I have, around any security breach, is how this happens?  I mean, the answer is generally simple, but I don’t understand how companies can’t seem to protect data.

The breach, which is tied to the influencer marketing firm Octoly, not only exposed the stars’ true identities but also their addresses, phone number and, email addresses.  What’s interesting about the breach is that the users are predominantly young women.  I say interesting because that’s a random fact to pull out of this.  But maybe there are more female influencers than male?  The breach exposed a massive list of the brands that partner with these influencers, including top gaming companies such as Blizzard and Ubisoft.  As far as beauty brands go, we are seeing names like Sephora, L’Oreal, and Sisley.

Octoly

Researchers discovered the database early in January and were able to quickly link it to Octoly.  Octoly’s Amazon server was publicly accessible, meaning almost anyone could view its contents without a password.  (I guess that answer the question I had earlier of how this happens) Getting access to the actual data proved challenging for hackers.  When companies do have a security breach, they typically respond quickly, but Octoly was incredibly slow to respond.  That said, it’s only been a couple of weeks, and while the information being exposed is sensitive, let’s think back to the Equifax breach.  That was months before Equifax did anything internally to respond.  It took them even longer to let the public know that their social security numbers were available for literally everyone.

The breach was discovered on January 4th.  The following day, a direct message was sent to the company on Twitter.  Those who discovered the breach also called Octoly’s corporate office twice over the course of a week without receiving a response.  The data, meanwhile, remained accessible to anyone with the know-how to locate it—namely, hackers trolling the internet for random unsecured Amazon servers.

Octoly

“This exposure reveals highly sensitive personal information about over twelve thousand individual men and women who, by merit of their prominence on the internet, are particularly vulnerable to the possibilities of harassment, abuse, and even the violence of ‘swatting,” said Mike Baukes cofounder and co-CEO of UpGuard – the company that discovered the breach.  Baukes goes on to say:

“Octoly’s inability to secure this data for weeks after being notified by UpGuard, despite repeated follow-up communication and instruction on how to do so, is an unfortunate illustration of how not to respond to news of a data exposure.  Executives whose enterprises have suffered a data exposure must not merely move quickly to remediate such issues, but become knowledgeable on the realities of cyber risk in case the worst should occur.”

Octoly’s co-founder, Fabien Guiraud, finally reached out to UpGuard on January 14th. While many of the corporate records disappeared shortly thereafter, the client database containing a wealth of personally identifiable information remained accessible online. Persistent, UpGuard continued to reach out. More than a week later, Guiraud told the researchers the database was secured. It wasn’t.  While I think that this is awful, the risk isn’t quite the same as what we saw with Equifax – which was financial.  The greatest risk we will see with this is human.  What that means though, isn’t necessarily good.  People could be stalked, or worse.  Maybe the most interesting part is the fact that hackers are looking for unprotected Amazon cloud servers.  In fact, it’s become somewhat of a hobby.  I ask the question – why aren’t companies better-protecting user information?  Why is this so difficult?