The misconfigured Amazon S3 bucket belonged to Reindeer, a now-defunct marketing company based in the United States.
Threat analysis from the WizCase security team led by Ata Hakçıl revealed a data leak impacting the now-defunct American marketing firm Reindeer.
WizCase’s team of researchers identified that the data leak exposed sensitive personal data of the company, which once was linked with renowned brands like Tiffany & Co. and Patrón Tequila and provided digital marketing services to companies worldwide.
Researchers revealed that the exposed Amazon S3 bucket wasn’t protected with a password or required login credentials to access the data. Ironically, the data wasn’t even encrypted. A majority of the affected users were from the USA, UK, and Canada.
32GB of Data Exposed
Reportedly, the breach exposed the private information of nearly 300,000 Reindeer customers, making them vulnerable to a variety of threats and attacks. The information included the following:
- Full names
- Dates of birth
- Profile pictures
- Facebook IDs
- Email addresses
- Hashed passwords
- Physical addresses
- Phone numbers.
WizCase claims that the database contained around 50,000 files and had 32GB of data. Data includes details of various Reindeer customers, including Patrón and UK-based clothing brand Jack Wills. The data included 1,400 profile photos as well.
Screenshot of Patrón Social Club’s site users information (Image: vpnMentor)
WizCase notified Amazon about the breach.
“We reached out to Amazon regarding the breach. As the bucket is owned by a now-defunct company, the web host is the only contact we could find to help secure the breach. We also informed the US-Cert, hoping they would be able to reach out to the previous company owner,” the company noted.
Security Lapse or Accidental Breach?
According to researchers, this breach indicates a “concerning lack of due diligence” from Reindeer. The company apparently has ceased working with the brands by 2014 but had access to such sensitive information of thousands of users and didn’t even secure it properly.
“Even when a company goes out of business, it still possesses responsibilities to its users and its client’s users to keep their data safe,” WizCase researchers wrote in their report.
This sort of information could be leveraged to launch various types of cyberattacks, such as phishing and vishing attacks, identity theft, Bruce force attacks, and social engineering attacks. Cybercriminals may also trade the leaked data on the dark web marketplaces.