Personally identifiable information of more than 99,000 customers of V Shred, a Las Vegas-based diet supplement and exercise program company, may have been left exposed online due to an unsecured database
V Shred bills itself as a fast-growing "fitness, nutrition, and supplement brand" with tens of thousands of customers in 119 countries and 12 million unique website visitors
However, VPNMentor researchers said they found unprotected Amazon Web Services "buckets" holding 13 million personal files and a total of 606 GB of data
"By not protecting these files, V Shred was violating customer privacy and security, leaving them exposed to bullying and fraud," the researchers wrote in a blog post yesterday (July 2)
The unprotected AWS bucket discovered by the researchers on May 14 consisted primarily of three large comma-separated value files
However, the bucket also contained profile photos, "before and after" photos of clients (some "very revealing"), and information about meal plans11]
According to the researchers, the unsecured photos and documents contained "a variety of personally identifiable (PII) data, revealing sensitive information about the people exposed"
The researchers also found that "the documents were not secured, but were found to contain a variety of personally identifiable information
Tom's Guide has reached out to V Shred's parent company, Sculpt Nation, for comment We will update this article as soon as we receive a response
The three CSV files contained the personal information of tens of thousands of people worldwide
Each file had a different purpose: the first contained 96,000 entries in the sales lead generation list, the second contained 3,522 entries in the email address list, and the third contained the personal information of 52 contained the personal information of the trainers
The researchers warn that the CSV file "posed a greater immediate risk" due to the fact that it "contains a vast amount of PII data for each individual listed"
According to VPNMentor, the CSV files contained information such as full name, home address, email, phone number, birthday, social security number, spouse's name, social media accounts, user name and password, gender, health status, age, and citizenship
The report makes no mention of whether the passwords are "hashed" or protected by one-way encryption If you have a V-Shred account, change your password now (25]
The Social Security numbers probably belong to 52 trainers, since US companies typically only collect such data from employees and contractors But if you are one of those people, it's best to sign up for the best identity theft protection service now
Researchers contacted V Shred and AWS in May to alert them to the breach, but it took V Shred a month to remove the files containing personal information from the AWS bucket
The fitness company told VPNMentor that because V Shred's clients needed access to meal plans, workout instructions, and before-and-after photos, "all other files would remain publicly accessible"
ZDNet's Charlie Osborne looked at the data still accessible and confirmed that it contained "company materials, diet guides, workout plans, and user photos"
As for the impact of this breach, VPNMentor warns that "malicious hackers and cybercriminals could launch a very effective phishing campaign targeting V Shred's customers"
That is true, but only if malicious hackers have access to the exposed information There is no indication that anyone other than VPNMentor had access to the files before they were protected
However, many people are actually sniffing around the Internet trying to find insecure AWS buckets
VPNMentor reports, "V Shred is a young company and appears to be run by a small team However, it is responsible for protecting those who use its products and sign up for its services
"By not doing so, V Shred is jeopardizing the privacy and security of those exposed and the future of the company itself"
Comments