Massive “V Shred” Data Breach Exposes More Than 99,000 Customers

• “V Shred” has left an unprotected database online, exposing the sensitive details of 99,000 clients.
• The data that has leaked includes names, home addresses, Social Security Numbers, and phone numbers.
• The impact on both the clients and the brand is substantial, and it may push the firm to bankruptcy.

Users of the “V Shred” platform have had their personal data exposed, after the fitness and nutrition company misconfigured their main Amazon Web Services S3 bucket. The discovery of the unprotected database came from N. Rotem and R. Locar, on May 14, 2020. “V Shred” was contacted four days later but failed to reply. The researchers then reached out to an AWS representative who eventually took action and disabled the leaking bucket on June 18, 2020. This makes up for a total of over a month of exposure, which is more than enough for malicious actors to locate and steal the files.

The unsecured S3 bucket contained 606 GB of data that affect over 99,000 customers. The 1.38 million files contained in the database concern PII, before/after photos, user profile details, and custom meal plans. In addition to the client details, there was also data on 52 trainers who work for V Shred. The PII entries were logged in CSV files, and consist of the following details:

• Full names
• Home addresses
• Email address
• Phone numbers
• Birthdays
• Social security number
• Spouse names
• Social media accounts
• Username and password
• Gender
• Health conditions
• Age range
• Citizenship status

The potential impact that this data’s exposure could have on the “V Shred” customers ranges from scamming and highly targeted phishing to blatant extortion. Considering that even social security numbers have been exposed, the possibility of identity theft is also substantial. If you are a V Shred customer, you should be very careful with incoming emails asking you to “update” your details or provide more info. Besides that, if anyone posts your images online, you may take legal action against them. As for V Shred, the impact on them is quite substantial, as they have failed to protect such sensitive information and then failed to respond to the warning messages sent by the researchers.

Apart from the loss of trust towards the “V Shred” brand, the company is also entering legal trouble due to this incident. Being a Las Vegas-based company with customers from 119 countries, their security lapse has repercussions relating to the GDPR and the CCPA, so it’s likely that they will now become the subject of investigations that will lead to huge fines. V Shred is one of those smaller companies in the right field to reap the fruits of the people's sudden interest spike towards fitness and nutrition. Thus, this incident may bring their end, highlighting the importance of ensuring data security above anything else.