The popular casting website of USA "MyCastingFile.com" leaked the data of about 260.000 people online. Investigators security of Safety Detectives, led by Anurag Sen, said in a report that the leak was discovered in early June.
New Orleans-based MyCastingFile.com is an online casting agency that hires actors to star in movies or TV shows. Users can register for free or for free subscription to apply for casting. The casting company claims to have provided actors for major productions, including True Detective, Pitch Perfect, NCIS: New Orleans and Terminator Genisys.
Safety Detectives researchers have discovered an open Elasticsearch server, hosted by Google Cloud, in the USA. The database was not secure through any form of authentication, resulting in some 10 million leaks archives. The base data The size of 1 GB and the researchers found that the profiles of 260.000 users of the casting website, including aspiring actors, were leaked, while the profiles of company employees may also have been leaked.
Identifiable information (PII) leaked online included names, home addresses, addresses e-mail, telephone numbers, work histories, dates of birth, physical characteristics (height - weight), nationality and external characteristics that are of interest to potential employers, such as hair length and color or eye color.
In addition, the leaked records contained information about the vehicles that the people may have had, such as model, color and year of manufacture. The violation also leaked photos of faces and bodies. However, not all the photos in the website files were leaked, as they were stored in many locations and through different services. in cloud.
People under the age of 18 can also register on the platform of the casting website, provided that their accounts are managed by their guardians and that they give their consent.
The researchers said that leaking data from the casting website could determine how much and which of the data leaked online belonged to children, although the security team did not perform a complete download or demographic analysis of the available data, mainly for ethical reasons.
His files server show that the leak first started on May 31st. MyCastingFile is moving to new ones platform, so this issue may be related to movement.
Safety Detectives investigators examined and verified the owner of the database, finding on June 11 that it belonged to MyCastingFile. The same day, MyCastingFile secured its server.
MyCastingFile's quick response to leakage is, unfortunately, rare these days. In many cases of data leak investigators, organizations need weeks or even months to deal with the problem, and it is not uncommon for them to simply ignore security warnings.