Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

E-commerce app 21 Buttons exposes millions of users’ data

Researchers discovered that the popular e-commerce app 21 Buttons was exposing private data for 100s of influencers across Europe. Researchers from cybersecurity firm vpnMentor discovered that the e-commerce app 21 Buttons was exposing private data for 100s of influencers across Europe. 21 Buttons allows users to shares photos of their outfits with links to the brands they’re […]

UK Visa Site data leak

Researchers discovered that the popular e-commerce app 21 Buttons was exposing private data for 100s of influencers across Europe.

Researchers from cybersecurity firm vpnMentor discovered that the e-commerce app 21 Buttons was exposing private data for 100s of influencers across Europe.

21 Buttons allows users to shares photos of their outfits with links to the brands they’re wearing, then their followers can purchase their favorite clothes directly from the relevant brands using the app.

There are different platforms that have carved out a niche for themselves on the internet. 21 Buttons with over 5 million downloads on Android happens to be one such social network that is primarily geared towards the fashion industry.

Fashion influencers can earn a commission for any purchases made via their profiles.

On 2 November 2020 vpnMentor experts discovered that the 21 Buttons app was using a misconfigured AWS bucket that has exposed the data of hundreds of influencers.

“The company was storing over 50 million pieces of data from the app on a misconfigured AWS cloud storage bucket. Buried amongst all this data, we discovered invoices for commissions paid by 21 Buttons to 100s of influencers all around Europe, based on the value of sales made through their profiles.” reads the report published by vpnMentor.

“The invoices exposed a massive amount of information about how much individual influencers earn on 21 Buttons, along with incredibly sensitive personal information.”

The misconfigured AWS bucket was containing over 50 million files at the time of the discovery, including sensitive info such as full names, addresses, financial information (i.e. bank account numbers, PayPal email addresses), photos, and videos.

The huge trove of data includes over 400 invoices that provides information on how much the various brand had paid in commissions to the influencers.

Prominent influencers impacted by the data leak are:

Data included in the S3 bucket could be used by threat actors to carry out multiple malicious activities, including phishing attacks, fraud and identity theft, stalking, and harassment.

vpnMentor researchers pointed out that data remained exposed online for more than a month since they first reported the discovery to the company. Only on 22nd December, vpnMentor received the reply of 21 Buttons, but it is unclear if it has secured the data.

At the time it is impossible to determine if anyone had access to the exposed data.

21 Buttons may also face negative backlash and other consequences as a result of this data breach, including fines and legal action, loss of customers and partners, and negative publicity.

Below the timeline of discovery:

  • Date discovered: 2nd Nov. 2020
  • Dates vendors contacted: 5th Nov., 12th Nov., 8th Dec. 2020
  • Dates Amazon Contacted: 10th Nov., 8th Dec. 2020
  • Date of Response: 22nd Dec. 2020
  • Date of Action:

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]