• About Us
  • Contact
  • Careers
  • Send Us a Tip
Menu
  • About Us
  • Contact
  • Careers
  • Send Us a Tip
CyberNews logo
Newsletter
  • Home
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
Menu
  • Home
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
CyberNews logo

Home » Security » IndieFlix streaming service leaves thousands of confidential agreements, filmmaker SSNs, videos exposed on public server

IndieFlix streaming service leaves thousands of confidential agreements, filmmaker SSNs, videos exposed on public server

by Edvardas Mikalauskas
30 July 2020
in Security
0
Loading icon on screen
143
SHARES

In order to increase efforts to secure customer and client data, IndieFlix will be “immediately dedicating time and resources towards an information security audit.”

The CyberNews research team discovered an unsecured data bucket on a publicly accessible Amazon Simple Storage (S3) server containing confidential data belonging to IndieFlix.

IndieFlix is a US-based entertainment company offering a subscription-based online video streaming service that mainly specializes in independent titles, including feature films, shorts, and documentaries.

The data bucket discovered by CyberNews contains over 90,000 files related to the IndieFlix streaming service. This includes scans of confidential motion picture acquisition agreements, tax ID requests that include filmmaker social security numbers and employer identification numbers, as well as relatively detailed contact information of thousands of film professionals. Additionally, the bucket hosts thousands of video files of movie clips and trailers that can be accessed and downloaded by anyone with a direct link to the files.

After CyberNews contacted IndieFlix and Amazon Web Services, the bucket has been secured and is no longer accessible.

What data is in the bucket?

The unsecured Amazon S3 bucket contains 93,867 publicly accessible files, including:

  • 4,275 motion picture acquisition agreements and contract addendums
  • 3,217 scans of requests for tax identification numbers that include addresses, signatures, as well as social security numbers and/or employer identification numbers of the filmmakers or their distribution agents
  • A contact list of 5,966 film industry professionals, including their full names, email addresses, street addresses, phone numbers, and zip codes
  • 15,225 video files, which include clips and trailers from the platform’s Quick Pick feature library

The vast majority of the files stored in the unsecured bucket are film thumbnail pictures and various promotional materials. The motion picture acquisition agreements, tax ID requests, and contract addendum scans all date between 2013 and 2016. 

Example of motion picture acquisition agreement:

censored motion picture acquisition agreement

Example of tax ID request:

Example of filmmaker contact records:

During our correspondence with IndieFlix, CEO Scilla Andreen indicated that the confidential documents stored in the bucket were uploaded to the server by mistake. “We have been storing these types of documents in a secure private drive, not in AWS. The documents in the S3 bucket were an old archive that was mistakenly uploaded,” says Andreen.

Storing anything on a publicly accessible server without any kind of authentication process in place is dangerous, which is a lesson many organizations still tend to learn the hard way. Seeing small, socially-minded companies like IndieFlix fail to secure their data is particularly heartbreaking.

Who had access to the bucket?

At the time of writing this report, it is unclear if anyone had access to the unsecured bucket. While IndieFlix believes that the bucket has been publicly accessible since May 2015, the company has not found any suspicious activity or unauthorized access attempts to any of its accounts during the period.

According to Scilla Andreen, the IndieFlix administrative team uses “password management software and multi-factor authentication (where available) to secure [their] accounts” and, in order to increase their efforts to secure their customer and client data, IndieFlix assured CyberNews that the streaming service will be “immediately dedicating time and resources towards an information security audit.”

With that being said, the files were stored on a publicly accessible Amazon S3 server. Accessing and downloading files hosted on public servers requires almost no technical knowledge, which means that there is a possibility that the data contained in this bucket may have been accessed by bad actors for malicious purposes.

What’s the impact?

Even though most of the personally identifiable data stored by IndieFlix on the unsecured Amazon server is not deeply sensitive, a single social security number contained in a tax ID request can fetch about $4 – a relatively good price – on the dark web, putting the total black market value of the SSNs found in the bucket at up to $13,000.

Acquiring someone’s social security number or employer identification number is one of the first steps toward committing identity theft. By adding more personal details like names, emails, phone numbers, addresses – some of which are present in the contact file stored in this bucket – as well as acquiring scans of other documents like passports and driver’s licenses on the black market, cybercriminals can, in the worst-case scenario, take out loans (for example, coronavirus relief loans), credit cards, or other paid services in the victims’ names.

Even the humble email address can be enough for bad actors to run spamming campaigns and send phishing emails to the unsuspecting recipient.

Finally, attackers can use the data to blackmail filmmakers or their agents by threatening to publicize the confidential content found in the motion picture acquisition agreements.

What to do if you’ve been affected?

For film industry professionals and organizations that have signed agreements with IndieFlix or given the company their contact details between 2013 and 2016, we recommend doing the following in case of any suspicious activity or fraud:

  • Review recent activities on their email accounts for suspicious messages and requests
  • Set up identity theft monitoring
  • Notify law enforcement in case of any blackmail attempts

Disclosure

We discovered the unsecured bucket on July 15 and immediately notified IndieFlix about the leak. However, we received no response from the company due to the fact the recipient of our inquiry was on maternal leave. For that reason, we reached out to Amazon on July 22 in order to help secure the server. As soon as Amazon notified the owner through the AWS platform, IndieFlix closed the database.

Share143TweetShareShare

Related Posts

Nohow International leaks sensitive worker data

12,000+ workers’ IDs, banking details, and other personal data leaked by UK staffing agency

19 January 2021
Telegram app on mobile

Watch out: there’s a new Telegram scam about

15 January 2021
Email icon on laptop screen

How phishing attacks are evolving and why you should care

14 January 2021
Ransom message on laptop screen

Why ransomware attacks will explode in 2021

12 January 2021
Next Post
The president of Russia Vladimir Putin

How Russia changed its hacking tactics in 2014

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

Popular News

  • 70TB of Parler users’ messages, videos, and posts leaked by security researchers

    70TB of Parler users’ messages, videos, and posts leaked by security researchers

    82912 shares
    Share 82901 Tweet 0
  • ProtonMail review: have we found the most secure email provider in 2021?

    61 shares
    Share 61 Tweet 0
  • Bitwarden Review

    0 shares
    Share 0 Tweet 0
  • The ultimate guide to safe and anonymous online payment methods in 2021

    13 shares
    Share 13 Tweet 0
  • Custom mechanical keyboards – 17 coolest ones we’ve ever seen

    442 shares
    Share 441 Tweet 0
Facebook says some users facing issues with Messenger, Instagram

Factbox: How Facebook, Twitter, and others are girding for inauguration threats

20 January 2021
Uploading on mobile screen and Data Protection on desktop screen

Privacy and data protection trends in 2021

20 January 2021
valve logo

EU hits game distributor Valve, five others with 7.8 million euro fine

20 January 2021
google logo

Trump pardons former Google self-driving car engineer Levandowski

20 January 2021
Malwarebytes hacked by state actors behind SolarWinds attack

Malwarebytes hacked by state actors behind SolarWinds attack

20 January 2021
Edvardas Šileris

Head of Europol’s European Cybercrime Centre: there are no systems that cannot be breached

20 January 2021
Newsletter

Subscribe for security tips and CyberNews updates.

Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!
Categories
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
  • VPNs
  • Password Managers
  • Secure Email Providers
  • Antivirus Software Reviews
Tools
  • Personal data leak checker
  • Strong password generator
About Us

We aim to provide you with the latest tech news, product reviews, and analysis that should guide you through the ever-expanding land of technology.

Careers

We are hiring.

  • About Us
  • Contact
  • Send Us a Tip
  • Privacy Policy
  • Terms & Conditions
  • Vulnerability Disclosure

© 2021 CyberNews

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.

Home

News

Editorial

Security

Privacy

Resources

  • In the News
  • Contact
  • Careers
  • Send Us a Tip

© 2020 CyberNews – Latest tech news, product reviews, and analyses.

Subscribe for Security Tips and CyberNews Updates
Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!