IOTW: Online Fitness Organization V Shred Hesitantly Locks Down Some PII After Exposure

Yet another new threat landscape

Add bookmark

Seth Adler

Exercise during COVID-19 is experiencing an at-home revival. As gyms close and people wish to continue or start their physical health journey, new online options are popping up. The BBB reports that online fitness company, V Shred, became accredited in 2018. V Shred offers fitness plans, meal plans, and proprietary supplements to its clients. Matched with a personal trainer, V Shred uses online communications and databases to track and maintain client information and progress.

However, ethical hackers with the research group vpnMentor recently disclosed their discovery that over 99,000 V Shred clients and personal trainers have had personal information exposed through an unsecured AWS bucket. The bucket, known on the AWS platform as an Amazon S3 bucket, contained exceptionally personal client information such as full names, home and email addresses, citizenship status, social media accounts, health conditions, and revealing “before and after” body photos.

Measures That Should Have Been Taken

Although V Shred is a small, young company, it is their responsibility to secure S3 buckets. V Shred could have avoided the breach by taking simple security measures such as securing their servers and implementing security access controls (SAC). Further, it is important to note that the breach is not the fault of the S3 Bucket. V Shred could have made the bucket private while enacting with separate authentication measures and followed AWS access and authentication best practices at minimum.

Related: Behind The Data Breach: Understanding Cloud Security And Misconfigurations

Instead, when vpnMentor informed V Shred of the security issue, the company responded by denying the exposure of personal identifiable information (PII) and claimed that it was necessary for the user files to be publicly available. V Shred was notified of the issue on May 18th. It took them until June 18th to disable the file. Meal plans, workout instructions, and before and after photographs are still publicly available.

Far-Reaching Company And Customer Impact Potential

Such lackadaisical security efforts leave V Shred open for a number of issues. Clients may no longer trust the organization and move to another service in the currently oversaturated at-home fitness industry. The freely available IP is at risk of theft and replication. Perhaps most concerning is that the breach may lead to investigations, audits, and fines. V Shred’s clientele are also at risk of targeted phishing campaigns and even identity theft. ZDNet refrained from calling the indiscretion a breach, however, since it appears that the exposed information was locked down in time.

Lucky for V Shred, it appears that vpnMentor discovered the breach before malicious actors did. Still, the method they used is also used by hackers, stressing the importance of developing and following strong cyber security protocols.

Related: Global SMBs Report Third Straight Year Of Cyber-Attack Growth And Sophistication

No Business Is Too Small To Practice Cyber Security

It is true that small businesses don’t have the same resources as larger corporations. Most do business without a CISO or fancy security software, but that is no excuse to not follow basic security measures such as creating a continuity plan that includes information such as:

  • The data that is important to your company
  • Where that data lives
  • Who has access to that data

Small and medium-sized businesses (SMB) also have access to security services offered by their cloud provider. In the case of V Shred, Amazon S3 offers a detailed Security Best Practices guide for SMBs to follow and refer to that includes preventative best practices like:

  • Blocking public access
  • Utilizing AWS Trusted Advisor to examine S3 implementation
  • Practicing least privilege access

And monitoring and auditing best practices including:

  • Identifying and auditing all S3 buckets
  • Utilizing AWS monitoring tools
  • Enabling Amazon S3 server access logging

In the case of SMBs it is particularly critical that data incidents are prevented and handled well. Unlike larger enterprises, it may only take one small oversight that leads to one tiny security incident to ruin the entire brand. While the V Shred event may not have caused noticeable immediate damage, client and company relationships are sure to be affected.

Read More: Incident Of The Week