The Fitness brand V Shred exhibited personal information of 99.000 customers and coaches. Most worrying, however, is that it has not yet solved the problem with the database responsible for data leakage.
V Shred is a Las Vegas-based company that offers fitness programs for women and men, with an emphasis on fast workouts, The nutritional programs and food supplements. The company says it has customers in 119 countries, 12 million unique visitors to its site (per month) and more than 40.000 subscribers to its university program.
On Thursday, his research team vpnMentor revealed the leak of V Shred data. According to the data, a non protected AWS S3 bucket exposed the identities of at least 99.000 people.
The exposed bucket was discovered on May 14. Originally, it contained 1,3 million files (606 GB). The files contained names, home addresses, email addresses, dates of birth, social security numbers, social media account details, usernames, passwords, age, gender, nationality and more.
Among the files were three .CSV files. The most important of these was the 180MB one, which contained the identities of tens of thousands of people.
Some parts of the database, which included diet guides, training programs and user photos, remained accessible even after the leak was revealed.
CSV files that appear to contain coach and customer information remain exposed.
In addition, the database contains customer photos which show "before and after", ie the physical condition of the clients before starting the exercise and diet program and after starting it.
Based on the information in the database, it was not difficult to verify that V Shred was the owner. Both V Shred and AWS were notified of the problem on May 18 and 20, respectively.
V Shred responded to the research team by serving Amazon customers on June 1st. In communication with researchers, A member of the V Shred team denied that there was a problem with data leakage.
Initially, he said the database was only used to store web assets, CSS and media files, adding that if the data were not public, members would not be able to download their diet and exercise program.
In addition, V Shred said that in order to access such content, a link must have been shared or a user connection to credentials must have been made.
However, The researchers explained that the database is also open to anonymous users.
June 18, the main .CSV file, which contained identity information, was removed but the rest is still accessible.
"V Shred is a new company and seems to be run by a small team," said VPNmentor. "However, it is still responsible for protecting the people who use its products and for subscribing to its services. "Without this, V Shred endangers the privacy and security of individuals and the future of the company itself."