Popular new-age spirituality platform leaks its followers' data


The email addresses of more than 270,000 spiritual healing seekers were made public due to cybersecurity neglect.

On November 24th, the Cybernews research team discovered a publicly accessible database belonging to an alternative spirituality platform, The Shift Network.

The platform, with over 800 thousand monthly visitors, offers courses and webinars and promotes events on energy healing, psychic skill development, shamanic practices, witchcraft, and other new-age spiritual practices.

The web server had directory listing enabled, which contained a database backup from 2021. It’s likely that the database was used in the site’s production environment.

Open web directory with backup
Open web directory with backup

2GB of leaked data exposed more than 270,000 emails belonging to platform users. Leaking such a large number of email addresses poses a serious threat, as they can be exploited by malicious actors for spamming and phishing attacks.

sss

The database also publicly disclosed over 200 credentials belonging to the platform's administrators, including emails and hashed passwords. Additionally, it revealed the packages and plugins used by the site posed a risk to the safety of the platform.

Emails sent to speakers
Emails sent to speakers

While the leaked employees’ passwords were hashed, it’s not unlikely that they could’ve been cracked and used for further access into the company's internal systems.

Speakers' phone numbers
Speakers' phone numbers

This could have led to attackers launching malicious payloads, such as ransomware, and compromising a bigger chunk of customer data. Having the information on the types of plugins and packages the site uses would have further assisted malicious actors in exploiting the platform.

xxx
Leaked employees' credentials

The leak also exposed the personal data of the speakers featured in spiritual courses that the platform offers. Data included names, email addresses, phone numbers, and events they spoke at. This data can be exploited by malicious actors for phishing and targeted defrauding attempts.

Speakers' emails
Leaked speakers' emails

Cybernews contacted the company, and it secured access to the data. An official comment is yet to be received.