V Shred, a fitness brand operating in 100+ countries with offerings on fitness plans and education, has its database exposed. It was found by a research team from VPNmentor back in May and reported via AWS since the database exposed was through AWS S3 bucket. The details leaked consists of personally identifiable information of at least 99,000 users.
Sensitive Data of At least 99,000 Users Exposed!
V Shred claims to have a presence in over 119 countries, and 12 million unique visitors to its website every month. It’s focused on fast workouts, nutrition plans, and supplements regarding fitness, and has 40,000 subscribers to its University program! And now, as reported by ZDNet, V Shred’s database stored in AWS S3 bucket was open!
This was first discovered by the VPNmentor research team, on May 14 this year. The open bucket consisted of about 1.3 million files (totaling 606GB) relating to at least 99,000 users. Within files, there were three CSV files as one lead generation list, a clients’ email list, and a trainer list.
And the entire file contained personally identifiable information like users’ names, home addresses, email addresses, dates of birth, some Social Security numbers, social media accounts details, usernames and passwords, age ranges, genders, and citizenship status and other data points. Particularly in.CSV file, which weighted 180MB, has details of tens of thousands of users. Further, there are before-and-after photos of members too.
Upon reaching by the VPNmentor research team, V Shred has responded via Amazon Customer Service and denied any issue with the database exposure. Further, it defended saying the open bucket consisted of CSS and media files, which should be accessible to members to download their meal or training plans.
After explaining that it’s accessible to anonymous people too, V Shred has removed the.CSV file containing PII of members, but still left the rest of the bucket open. It claims the database would be accessible only to its members who receive a link to their diet or training plan and need to login, thus safe.
Via: ZDNet
