Google Cloud leak linked to Shark Tank contestant exposes 83,000


A leaking Google Cloud Storage bucket linked to Alice’s Table, a Shark Tank contestant offering virtual floral arrangement classes, has exposed the personal data of over 83,000 customers.

The Cybernews research team discovered the misconfigured cloud bucket on April 28th during a routine investigation using open-source intelligence (OSINT) methods.

Our researchers were able to trace the Google bucket back to Alice’s Table, which was founded in 2015 by Boston entrepreneur Alice Lewis and is now part of the 1-800-Flowers family of brands.

ADVERTISEMENT

In 2017, Alice’s Table secured a $250,000 investment from Mark Cuban and Sara Blakely after a successful pitch on ABC’s Shark Tank during its appearance in Season 9.

In addition to floral arrangements, the platform’s “curated live streaming experiences” also include culinary and cocktail workshops.

The leaking Google cloud bucket contained tens of thousands of files with the personally identifiable information (PII), such as emails and home addresses, of the platform’s clients in the United States.

Cybernews has contacted the United States Computer Emergency Readiness Team (US-CERT) regarding the incident and the ticket has been closed on their end.

Neither Alice’s Table nor 1-800-Flowers have responded to Cybernews’ request for comment at the time of publishing.

alice_personal
Exposed personal emails, home addresses. Screenshot by Cybernews

What data was exposed?

A total of 37,349 files comprising 10,183 XLSX and CSV files with the PII were discovered in the leaking Google Cloud bucket. The exposed data included:

ADVERTISEMENT
  • Full names
  • Email addresses
  • Home addresses
  • Order details

The leak primarily consisted of personal email addresses, but a “significant portion” were professional email accounts, according to Cybernews researchers.

These included accounts affiliated with companies like BCG, Pfizer, PwC, Charles Schwab, and government employees.

While business emails are typically considered to be semi-confidential and may not contain highly classified or private information, they could be used to access sensitive information or conduct targeted attacks.

“If business email addresses are leaked, it can lead to various risks such as phishing attacks, spamming, identity theft, and unauthorized access to confidential information,” Cybernews researchers said.

Bad actors could also use victims’ personal data to search the internet for more information that could further their financial and personal agendas, something known as “doxxing.”

The leak of home addresses adds another dimension to the security concerns, exposing victims to potential physical incursions.

alice_corporate
Exposed corporate emails, adressess. Screenshot by Cybernews

Mitigating the risks

To mitigate the risks, cybersecurity experts advise immediately revoking public access to the affected bucket and reviewing access logs retrospectively to determine if any unauthorized parties accessed it.

ADVERTISEMENT

Affected organizations should also enable server-side encryption for the bucket to ensure that stored data is encrypted while at rest and consider client-side encryption for maximum security.

Establishing a schedule of regular security audits and reviews of all Google Cloud Storage will offer additional protection.

“This proactive approach helps identify and address any security risks or vulnerabilities, reducing the likelihood of future data leaks and ensuring ongoing compliance with security standards,” Cybernews experts said.