Led by Noam Rotem, vpnMentor’s research team discovered a data breach affecting health and lifestyle brand Paleohacks.
Paleohacks teaches people how to adopt the paleo diet into their lifestyles through various media products, from recipes and meal plans to podcasts and courses.
The data breach originated from a cloud storage account Paleohacks was using to store the private data and personal details of over 70,000 customers and users. The company had failed to implement basic data security protocols. As a result, anyone whose data had been collected by Paleohacks was at risk of fraud, identity theft, hacking, and much more.
This data breach represents a serious lapse in security by Paleohacks, threatening the wellbeing of its customers – and the company itself. At the time of writing, the company has ignored every attempt Vpnmentor’s team made to help them close the vulnerability and told them that they’re ‘not interested.’
Paleohacks was using an Amazon Web Services (AWS) S3 bucket to store its customer data. S3 buckets are a hugely popular form of enterprise cloud storage used by 100,000s of businesses worldwide. However, AWS requires clients to manually set up their data privacy protocols when creating an S3 bucket account.
Paleohacks failed to install any privacy protocols on its S3 bucket – leaving the entire contents exposed to anyone with the most basic hacking skills.
VpnMentor’s team discovered the Bucket and quickly identified Paleohacks as its owner. After a quick but thorough investigation to confirm the nature of the breach and its implications, they reached out to the company and presented their findings.
Over a month passed, VpnMentor’s team didn’t receive a single reply from Paleohacks regarding the breach.
In late April, nearly three months after they discovered the breach, and after sending numerous emails to Paleohacks, they finally received an email from a representative of the company. She told them that she ‘isn’t interested in the data breach. They reiterated that they were not disclosing the breach to sell their services or asking for compensation – they’re simply trying to keep Paleohacks’ customers safe.
The Paleohacks representative claimed to be an independent contractor and suggested we contact the company directly. They repeated that they had attempted to do so numerous times already, with no success. She replied simply “If no one replies then they aren’t interested. Sorry about that.”
Example of Entries in the S3 Bucket
While the number of files was small compared to some breaches and leaks they’ve discovered in the past, they still exposed sensitive data of close to 70,000 people worldwide.
Paleohacks was using the bucket to store Personally Identifiable Information data collected from its entire userbase, dating all the way back to 2015. Anyone who signed up for a service (like a course or newsletter) or bought a product from the company (like a recipe book) was potentially exposed.
Aside from PII data, the bucket also included details uploaded by users when creating accounts on Paleohacks’ “Q&A community”, exposing a vast amount of personal information for 10,000s of people.
The private personal user data they viewed included:
- Full names
- Email addresses
- Hashed passwords
- IP addresses
- Timestamps for logins
- Profile descriptions (bios)
- Employers and company details
- Personal websites
- Date of birth
- Avatar URL (profile picture)
- Points earned on Paleohacks products
The following screenshots demonstrate how the data was stored and the type of photos exposed.
For Paleohacks’ Customers
If you’re a customer of Paleohacks and are concerned about how this breach might impact you, contact the company directly to determine what steps it’s taking to protect your data.
To learn about data vulnerabilities in general, read VpnMentor’s complete guide to online privacy.
It shows you the many ways cybercriminals target internet users, and the steps you can take to stay safe.