While this blog post provides a description of a data exposure discovery involving Octoly this is no longer an active data breach. The UpGuard Cyber Risk Team notified Octoly of this publicly exposed information and action was subsequently taken, securing the open buckets and preventing further access.
In a striking illustration of how cyber risk affects even the newest and most novel enterprises in the digital economy, the UpGuard Cyber Risk Team can now disclose that a cloud repository belonging to Octoly, a Paris-based brand marketing company, was left exposed, revealing a backup of their enterprise IT operations and sensitive information about thousands of the firm’s registered online personalities. The leak, which resulted from the erroneous configuration of the repository for public access, revealed the contact information and personal details of over twelve thousand influential "creators" - largely Instagram, Twitter, and YouTube personalities supplied by Octoly with beauty products, merchandise, and gaming content from the marketing firm’s industry clients, which include household names like Dior, Estée Lauder, Lancôme, and Blizzard Entertainment.
Exposed within the data store are the real names, addresses, phone numbers, email addresses - including those specified for use with PayPal - and birth dates for these creators, many of them otherwise anonymous in their online ventures. Also exposed are thousands of hashed user passwords, which if decrypted, could lead to password reuse attacks against various online accounts belonging to creators, the usernames for which are also in the repository. Highly detailed data analysis, customized for thousands specific creators and brands, was also revealed, providing further insight into Octoly’s inner workings.
Beyond the potential damage to Octoly’s business reputation through the leak of privileged internal data, the exposure of information involving the firm’s enterprise customers illustrates how one breach can implicate many more entities - the essence of third-party risk. The potential for identity theft, password reuse attacks, and account takeovers of affected creators, launched by malicious actors, is also considerable. This cloud leak raises the specific prospect of established, largely female internet personalities facing harassment or misuse of their actual personal details in their real lives, a common and increasingly dangerous phenomenon online, while the exposure of popular internet gaming personalities invites the danger of gruesome “swatting” attacks on their homes.
The Discovery
On January 4th, 2018, UpGuard Director of Cyber Risk Research Chris Vickery discovered an Amazon Web Services S3 cloud storage bucket at the subdomain “octoly,” a clear indication of the repository’s origin. Stored within the bucket is a repository of internal files critical to Octoly’s operations, including a backup of Octoly’s operational database, “octoly_production.sql.” Taken in full, the repository exposes the inner workings of Octoly’s digital brand marketing operations, across Europe and North America. After multiple notifications of the exposure to the affected entity, by January 12th, the damaging sql backup would be deleted from the repository. Remaining exposed, however, was a large amount of regularly updated spreadsheets containing personally identifiable information (PII) - data that would not be secured until February 1st, despite more notifications.
The exposed data reveals details about three categories of affected entities and individuals. The first, “users,” refers to Octoly employees. The second, “clients,” is comprised of enterprises that employ Octoly as a partner, typically for the purpose of connecting these brands to the twelve thousand exposed members of the third category, “creators.” Largely young and female, spanning the globe from the firm’s home country of France to the rest of Europe and the United States, Octoly’s “creators” are social media users specializing in using and reviewing beauty products or playing and critiquing video games, typically in YouTube vlogs and Twitch streams, or via Instagram, Snapchat, and Twitter.
Octoly advertises its services as “empowering influencers to become successful entrepreneurs,” stating on its website, “We like to play matchmaker and create lasting connections between influencers and brands.” What does this actually mean, and how does Octoly’s business work? In practice, as recounted in a 2016 Forbes profile, Octoly places products made by its brand customers in the hands of its registered creators, active on social media. The ultimate goal behind such product placement is to increase the number of reviews made by vloggers, Instagram stars, and Twitter users trusted by young consumers, thereby increasing sales with the hard-to-reach youth demographic.
While Octoly states that no money changes hands between the firm, the brands, and these creators for such reviews, the creators are able to choose from a free assortment of merchandise offered by Octoly from their brand partners. As Octoly needs to be able to send free products to these influential creators - and, for analytical purposes, track the reach and success of such product placements - the company registers these creators within their IT systems, gathering a great deal of personal details, including the creators’ contact information.
Such personal information for over twelve thousand people was exposed in the bucket. A table titled “Creators” contains such details as the real names, home addresses, birth dates, and phone numbers of these individuals, many of them known only by their first names or pseudonymously online. These real-life personal details are linked in the table to their usernames on Octoly, as well as on YouTube and Instagram where applicable, as well as their reviews - breaching any possible anonymity fostered by these creators.
Beyond these personally identifying details, the table also contains creators’ email addresses, including those used for PayPal accounts where applicable, as well as hashed sets of passwords presumably used to access the Octoly website.
In addition to these personal details, the bucket also contains a large amount of brand and analytical information, the disclosure of which could be damaging to Octoly’s business operations. Revealed within the files are the names of some six hundred major brands patronizing Octoly’s influencing services, including aforementioned industry giants like Dior, Estée Lauder, and Lancôme, international brands like L’Oreal and Pierre Fabre, and US-based companies like Beauty Solutions, Ltd. and Birchbox.
Finally, stored along all of this data in the repository are hyperlinks for over twelve thousand publicly accessible reports apparently compiled by Deep Social, a data analytics firm which bills itself as “helping the influencer marketing industry perfectly match advertisers' products with influencers' engaged audience.” The Deep Social reports, generated for each of the individual creators registered with Octoly, provide highly detailed and specific analysis of creators’ online influence, down to the ages, interests, and locations of followers, as well as which brands are most appealing to them. Such information constitutes Octoly’s bread and butter, and would be valuable corporate intelligence for any competing marketing firms.
The Significance
This exposure reveals a number of significant threat vectors that could have been exploited by malicious actors. Octoly’s incident response, from the highest corporate levels, did not properly account for the significance of the exposed data. The corporation’s deletion of one backup file, while failing to secure the S3 bucket or remove any of the large amount of other damaging data still exposed, left a large amount of personally identifiable information exposed weeks after Octoly assured the UpGuard Cyber Risk Team that the breach had been closed.
The greatest risk presented in this exposure is human, not financial. The leak of the personal details of over twelve thousand internet users with a degree of fame sufficient for major brands to seek their favor could have grave consequences. With online harassment endemic, particularly for women, the exposure of their phone numbers, addresses, and full names could have tragic consequences. Recent cyberstalking incidents affecting well-known YouTube and Instagram personalities of the sort recruited by Octoly show that such dangers are hardly implausible.
The exposure of a number professional video game streamers and vloggers in this breach, as cultivated by Octoly in addition to their beauty and fashion counterparts, conjures the specific threat of “swatting,” a disturbing form of criminal menacing well-known to the gaming community. Swatting, in which a caller falsely reports a crime in progress at the address of the targeted victim, has been repeatedly used to harass and victimize individuals encountered through online gaming. A recent example, originating from a dispute between players of an online video game, resulted in the fatal shooting of a Kansas man at the hands of police.
Beyond the dangers posed by the leak of such personal details, the exposure of creators’ encrypted passwords, emails, and various usernames and social media account locations create the strong potential for secondary attacks fueled by data found in this exposure. While Octoly creator passwords are encrypted with bcrypt, at least some of these passwords could, with time and effort, be cracked by a committed malicious actor. Used to access creator accounts, or reused on other platforms like Instagram or Twitter, malicious actors could succeed in widening the damage through successive password reuse attacks, owing the common reuse of the same password by users across multiple platforms.
Octoly’s potential business damages as a result of this breach are also noteworthy. The public disclosure of the deep analytical work Octoly provides for brands certainly constitutes a damaging leak of information that could be used by competitors and unsavory online marketers. But it is the presence of personally identifiable information for individuals across Europe - from Octoly’s home country of France, ranging beyond to Germany, Spain, and the UK - that calls to mind the European Union’s General Data Protection Regulation (GDPR), a strict set of requirements for security and privacy that will come into effect in May 2018. With stringent rules that sensitive information of the type exposed in this incident be secured, in the future, enterprises that fail to comply with GDPR will face “steep penalties of up to €20 million or 4 percent of global annual turnover.” Such hefty fines will evince an even heavier cost for enterprises that do not value cyber resilience and fail to keep secure personally identifiable information.
The publication of the brands using Octoly’s services also introduces the specter of third-party vendor risk, in which external partners can leak damaging internal information shared out of necessity. Octoly’s cyber risk score of 760, out of a possible maximum score of 950, shows a few chinks in the armor of the firm’s security posture. The essence of third-party vendor risk is that an external entity can, by the very nature of modern data sharing, expose other enterprises to risks they would not otherwise invite. While Instagram scores a higher cyber risk score of 814, the leak from Octoly nevertheless exposed Instagram accounts to the possibility of password reuse attacks, and linked Instagram accounts to the real identities of users. The work of Deep Social, the analytics firm behind Octoly’s customized creator reports, is another example of how thoroughly such privileged trade information can be compromised in a partner firm’s data exposure.
Taken in full, this data exposure provides a number of lessons. The ability to swiftly and decisively secure data in the event of a cyber incident is not just necessary to avoid financial and reputational damage critical to any business’s long-term fortunes. Nor is it necessary simply to protect blameless third-party enterprises of the sort exposed in this breach that merely wanted to better attract customers. Ultimately, cyber resilience is necessary to protect the basic wellbeing and security of the individuals supplying their personal information to enterprises - the disclosure of which may increasingly be a dangerous outcome.