V Shred Exposes Pics and PII on 100,000 Customers
V Shred, a US-based fitness company, suffered from a massive data breach due to a misconfigured Amazon database that left sensitive personal data and revealing photos of 100,000 customers open to the public. The S3 bucket contained over 1.3 million individual files, according to vpnMentor who discovered the leak on May 14. However, it took almost a month for V Shred to disable access to the files. VpnMentor reported that the company removed the PII but left other files publically accessible.
The S3 bucket contained 606GB of data and PII on 96,000 users, including full names, home addresses, email addresses, birth dates, social security numbers, social media accounts, birth dates, phone numbers, health conditions, and usernames and passwords. The database included other information such as details on 52 trainers, meal plans, profile photos, and before and after body photos for some customers. This information could be easily leveraged to create effective phishing campaigns targeting exposed customers.