In order to increase efforts to secure customer and client data, IndieFlix will be “immediately dedicating time and resources towards an information security audit.”
The CyberNews research team discovered an unsecured data bucket on a publicly accessible Amazon Simple Storage (S3) server containing confidential data belonging to IndieFlix.
IndieFlix is a US-based entertainment company offering a subscription-based online video streaming service that mainly specializes in independent titles, including feature films, shorts, and documentaries.
The data bucket discovered by CyberNews contains over 90,000 files related to the IndieFlix streaming service. This includes scans of confidential motion picture acquisition agreements, tax ID requests that include filmmaker social security numbers and employer identification numbers, as well as relatively detailed contact information of thousands of film professionals. Additionally, the bucket hosts thousands of video files of movie clips and trailers that can be accessed and downloaded by anyone with a direct link to the files.
After CyberNews contacted IndieFlix and Amazon Web Services, the bucket has been secured and is no longer accessible.
What data is in the bucket?
The unsecured Amazon S3 bucket contains 93,867 publicly accessible files, including:
- 4,275 motion picture acquisition agreements and contract addendums
- 3,217 scans of requests for tax identification numbers that include addresses, signatures, as well as social security numbers and/or employer identification numbers of the filmmakers or their distribution agents
- A contact list of 5,966 film industry professionals, including their full names, email addresses, street addresses, phone numbers, and zip codes
- 15,225 video files, which include clips and trailers from the platform’s Quick Pick feature library
The vast majority of the files stored in the unsecured bucket are film thumbnail pictures and various promotional materials. The motion picture acquisition agreements, tax ID requests, and contract addendum scans all date between 2013 and 2016.
Example of motion picture acquisition agreement:
Example of tax ID request:
Example of filmmaker contact records:
During our correspondence with IndieFlix, CEO Scilla Andreen indicated that the confidential documents stored in the bucket were uploaded to the server by mistake. “We have been storing these types of documents in a secure private drive, not in AWS. The documents in the S3 bucket were an old archive that was mistakenly uploaded,” says Andreen.
Storing anything on a publicly accessible server without any kind of authentication process in place is dangerous, which is a lesson many organizations still tend to learn the hard way. Seeing small, socially-minded companies like IndieFlix fail to secure their data is particularly heartbreaking.
Who had access to the bucket?
At the time of writing this report, it is unclear if anyone had access to the unsecured bucket. While IndieFlix believes that the bucket has been publicly accessible since May 2015, the company has not found any suspicious activity or unauthorized access attempts to any of its accounts during the period.
According to Scilla Andreen, the IndieFlix administrative team uses “password management software and multi-factor authentication (where available) to secure [their] accounts” and, in order to increase their efforts to secure their customer and client data, IndieFlix assured CyberNews that the streaming service will be “immediately dedicating time and resources towards an information security audit.”
With that being said, the files were stored on a publicly accessible Amazon S3 server. Accessing and downloading files hosted on public servers requires almost no technical knowledge, which means that there is a possibility that the data contained in this bucket may have been accessed by bad actors for malicious purposes.
What’s the impact?
Even though most of the personally identifiable data stored by IndieFlix on the unsecured Amazon server is not deeply sensitive, a single social security number contained in a tax ID request can fetch about $4 – a relatively good price – on the dark web, putting the total black market value of the SSNs found in the bucket at up to $13,000.
Acquiring someone’s social security number or employer identification number is one of the first steps toward committing identity theft. By adding more personal details like names, emails, phone numbers, addresses – some of which are present in the contact file stored in this bucket – as well as acquiring scans of other documents like passports and driver’s licenses on the black market, cybercriminals can, in the worst-case scenario, take out loans (for example, coronavirus relief loans), credit cards, or other paid services in the victims’ names.
Even the humble email address can be enough for bad actors to run spamming campaigns and send phishing emails to the unsuspecting recipient.
Finally, attackers can use the data to blackmail filmmakers or their agents by threatening to publicize the confidential content found in the motion picture acquisition agreements.
What to do if you’ve been affected?
For film industry professionals and organizations that have signed agreements with IndieFlix or given the company their contact details between 2013 and 2016, we recommend doing the following in case of any suspicious activity or fraud:
- Review recent activities on their email accounts for suspicious messages and requests
- Set up identity theft monitoring
- Notify law enforcement in case of any blackmail attempts
We discovered the unsecured bucket on July 15 and immediately notified IndieFlix about the leak. However, we received no response from the company due to the fact the recipient of our inquiry was on maternal leave. For that reason, we reached out to Amazon on July 22 in order to help secure the server. As soon as Amazon notified the owner through the AWS platform, IndieFlix closed the database.