The US charity Breastcancer.org suffered a misconfigured bucket exposure of over 350,000 files containing sensitive images of users.
The SafetyDetectives cybersecurity team discovered 150 GB of exposed data in the bucket with over 50,000 user avatars. Two separate databases contained different types of information, including user avatars (profile pictures on the website) and post images.
“While this is publicly available information, user avatars could be used in conjunction with EXIF data to identify vulnerable users,” the report explains.
Post images, in turn, were uploaded by users separately to the charity’s website. The researchers detected over 300,000 such files and EXIF data attached to each post image. Such data can expose additional details about the user, including the image’s GPS location and information about the device which took the image. No contact details of website users seem to be affected.
Both private and public images were exposed in the bucket. “Private” files included sensitive user images intended for medical screening, as well as test results. At the time when the bucket was discovered, it was still constantly being updated with new data, likely affecting users globally.
While the website has 200,000 registered users, it is likely that not all of them were affected by the incident. The minimum number of exposed users, however, stands at 50,000, accounting for the avatars discovered in the bucket.
“The number of exposed people could be higher, however, considering that users could be exposed in post images even if their user avatar is not included on the bucket,” the report suggests.
The bucket was discovered on November 11th, 2021, and considering its contents, it was still in use at the time.
“It contained files dating back to April 2017, though, filenames suggest some of these images date back to 2014 and were migrated to the bucket in 2017. We saw recent files on the bucket, too, dated mid-November 2021,” the report explains.
The researchers note that while the bucket was an Amazon S3 bucket, the provider was not responsible for the misconfiguration.
Following the exposure, users could suffer from harassment, phishing campaigns, or targeted attacks. In turn, the charity might face legal charges upon the investigation by the Federal Trade Commission (FTC.)
More from Cybernews:
Subscribe to our newsletter