An alarming aspect of the entire incident is that vpnMentor contacted both 21 Buttons and Amazon but no one responded nor cared to secure the data.
There are different platforms that have carved out a niche for themselves on the internet. 21 Buttons with over 5 million downloads on Android happens to be one such social network that is primarily geared towards the fashion industry.
It allows users to share their content and also features e-commerce capabilities to sell clothes. In the latest though, there isn’t good news about them. As discovered by vpnMentor on 2 November 2020 in a research report led by Noam Rotem, it has been found that its app has exposed the data of hundreds of influencers due to an AWS bucket being misconfigured.
Overall, the data stored was of over 50 million files which exposed sensitive info including full names, addresses, financial information such as bank account numbers, PayPal email addresses, photos, and videos. Many of these though were already published on the app for everyone to see even before the breach.
However, it did make data extraction much easier for malicious actors, and amongst these, certain invoices were also found which showed how much the company had paid in commissions to notable influencers on the platform, said the report vpnMentor shared with Hackread.com.
Furthermore, the personally identifiable information (PII) exposed could be used by future threat actors to engage in phishing and social engineering attacks against users of the app.
To conclude, an alarming aspect of the entire incident is that vpnMentor contacted both 21 Buttons and Amazon but no one responded nor cared to secure the bucket.
The data remained exposed for more than a month and it was only on 22nd December that the company decided to respond. Yet, it is unclear if the data has been secured or not.
Furthermore, as of now, it is unclear if any third-party actors accessed the exposed data. Therefore, if you have an account on 21 Buttons, you should remain careful nonetheless.
The entire case has been reported to the app’s management and it is up to them to mitigate the damage done by implementing privacy measures both in order to retain users and avoid the GDPR fines that could be imposed upon them being a Spain based network.
Another front that they may now have to fight on is the criticism voiced by competitors on the laxity of their security measures.