"Paleo Lifestyle Site Found Leaking PII on 70,000 Users"
Security researchers at vpnMentor have discovered a misconfigured AWS S3 bucket leaking personal information on 70,000 customers of a popular paleolithic lifestyle site. The researchers found the 290MB trove on February 4 and traced it back to Paleohacks, a US health and lifestyle brand that offers content and resources about the paleo diet. The company has been notified but has ignored every attempt the researchers made to help them close the vulnerability. The AWS S3 bucket is still not fixed and is still leaking information. The exposed PII includes full names, usernames, dates of birth, email and IP addresses, hashed passwords, employer details, location, and more. Also exposed are password reset tokens for some subscription account holders. The passwords were protected by the bcrypt hashing algorithm (a sophisticated form of password encryption). Still, a hacker could easily use the tokens to reset a person’s password, gain access, and lock the original user out of their account, stated the researchers.
Infosecurity reports: "Paleo Lifestyle Site Found Leaking PII on 70,000 Users"