Popular new-age spirituality platform leaks its followers' data

Last updated: 29 March 2024
The shift network data leak
Image by Cybernews

The email addresses of more than 270,000 spiritual healing seekers were made public due to cybersecurity neglect.

On November 24th, the Cybernews research team discovered a publicly accessible database belonging to an alternative spirituality platform, The Shift Network.

The platform, with over 800 thousand monthly visitors, offers courses and webinars and promotes events on energy healing, psychic skill development, shamanic practices, witchcraft, and other new-age spiritual practices.

ADVERTISEMENT

The web server had directory listing enabled, which contained a database backup from 2021. It’s likely that the database was used in the site’s production environment.

Open web directory with backup
Open web directory with backup

2GB of leaked data exposed more than 270,000 emails belonging to platform users. Leaking such a large number of email addresses poses a serious threat, as they can be exploited by malicious actors for spamming and phishing attacks.

sss

The database also publicly disclosed over 200 credentials belonging to the platform's administrators, including emails and hashed passwords. Additionally, it revealed the packages and plugins used by the site posed a risk to the safety of the platform.

Emails sent to speakers
Emails sent to speakers

While the leaked employees’ passwords were hashed, it’s not unlikely that they could’ve been cracked and used for further access into the company's internal systems.

Speakers' phone numbers
Speakers' phone numbers
ADVERTISEMENT

This could have led to attackers launching malicious payloads, such as ransomware, and compromising a bigger chunk of customer data. Having the information on the types of plugins and packages the site uses would have further assisted malicious actors in exploiting the platform.

xxx
Leaked employees' credentials

The leak also exposed the personal data of the speakers featured in spiritual courses that the platform offers. Data included names, email addresses, phone numbers, and events they spoke at. This data can be exploited by malicious actors for phishing and targeted defrauding attempts.

Speakers' emails
Leaked speakers' emails

Cybernews contacted the company, and it secured access to the data. An official comment is yet to be received.

Share
Post
Share
Share
Share
More from Cybernews
DeepSeek created Chrome infostealer without hesitation, company remains silent
New trojan can spy, steal crypto and mask itself to avoid detection
Hackers claim they’ve breached Orange and have “very detailed” information
Bite-sized no more: why TikTokers now crave longer videos
“Lawyer up and sue this idiot into poverty:” how Garmin helped to solve hit-and-run
Top blockchain Solana shoots itself in the foot with gender identity-mocking ad
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked