Social E-Commerce 21 Buttons Exposes User Personal Details


Barcelona-based social e-commerce company 21 Buttons reportedly left its cloud storage open in the public without encryption, exposing 50 million files.

According to the team at vpnMentor, who discovered the unsecured data bucket, the cloud storage hosted by Amazon Web Services includes the personal information of users. Some identifiable details include full names, social media posts, addresses, bank details, ID numbers, and sales commissions through the app.


The incident happened in early November, and the company responsible has yet to take any action to counter the damages. The application is used by influencers who upload their photos and link the e-commerce stores where the products are brought.

21 Buttons Exposes User Personal Details

Researchers at vpnMentor led by Noam Rotem said the application has two million active users and numerous partnerships across the brands in Europe. In addition to the credentials, the exposed data include influencers’ photos and videos.


Part of the influencers who were affected by the breach includes Danielle Metz, Freddy Cousin Brown, Marion Caravano, Carlota Weber Mazuecos, and Irsa Saleem. The web privacy company said that if the data buckets landed in the wrong hands, the hackers can obtain more bank and payment details.

“If somebody shared the invoices publicly, bad actors would have plenty of material to identify any private accounts held by influencers, as well as their homes and workplaces,” said vpnMentor.

In addition to risks of fraud and phishing, the influencers can also experience an invasion of their privacy as the invoices are exposed. Stalking and harassment can also happen both online and offline, using the information available.

The cybersecurity firm informed 21 Buttons of the issue three times on Nov. 5, Nov. 12, and Dec. 8, but there’s no initial response. The researchers tried to reach Amazon about the incident on Nov. 10 and Dec. 8, and the first response was only on Dec. 22.

AWS said they are going to create a breach notification to the corresponding department. No other updates were made by the cloud storage host.

“Most social media influencers try to keep their PII data secret and completely hidden. However, by exposing their contact details, home addresses, and national ID numbers, 21 Buttons has compromised the privacy of everyone affected,” stated the researchers at vpnMentor.

In addition to hefty fines due to data mishandling, 21 Buttons can also face legal actions from the European Union’s General Privacy Regulation and even class actions from affected influencers.