A data breach affecting approximately 70,000 customers occurred at Paleohacks, a famous online website for paleo recipes and guides.
Researchers from vpnMentor reported on Thursday that the data leak was centered on misconfigured Amazon AWS S3 bucket. It was used to store users’ personal information.
According to the team, which was headed by Noam Rotem, the website failed to follow “basic data security protocols” on the S3 bucket. And this incident meant that public access was unrestricted.
Approximately 6,000 files holding the data of roughly 69,000 people were included in the bucket. The information ranged from the years 2015 to 2020, according to the researchers.
It contained personally identifiable information (PII) such as bios, full names, locations, dates of birth, email addresses, profile pictures, IP addresses, and login timestamps.
Though passwords were hashed, some entries also included password reset tokens for membership and subscription programs, as per vpnMentor. While the BCRYPT hashing algorithm secured these tokens, it is still possible to use them to hijack user accounts.
On February 4, the unsecured bucket was found. On February 7, 9, and 17, VpnMentor tried contacting the vendor but received no answer. In that case, as a last resort, the team turned to Amazon.
It’s uncertain if any unauthorized person has gained access to the bucket. “Our team was able to access Paleohacks’ S3 bucket because it was completely unsecured and unencrypted,” the VpnMentor says.
“If you’re a customer of Paleohacks and are concerned about how this breach might impact you, contact the company directly to determine what steps it’s taking to protect your data,” the company noted.
Based in Los Angeles, Paleohacks is a website with paleolithic meal plans and recipes, tips, downloadable guides, and blogs, as well as an e-commerce shop.
The California Consumer Privacy Act (CCPA) applies to the firm since it is located in the U.S. state of California. The firm could face criticism from the CCPA’s regulatory committee, and possible penalties or legal actions applicable to the cybersecurity incident.
The same may be said if Paleohacks breached the GDPR laws of the trade bloc by compromising the personal data of EU residents.
In a period where data hacking and cybercrime are all on the rise, a data breach of this nature could seriously harm Paleohacks’ credibility with its customers.
At the time of the post, Paleohacks has not made any comment about the data breach incident.