E-commerce app 21 Buttons exposes millions of users’ data

Researchers discovered that the popular e-commerce app 21 Buttons was exposing private data for 100s of influencers across Europe.

Researchers from cybersecurity firm vpnMentor discovered that the e-commerce app 21 Buttons was exposing private data for 100s of influencers across Europe.

21 Buttons allows users to shares photos of their outfits with links to the brands they’re wearing, then their followers can purchase their favorite clothes directly from the relevant brands using the app.

There are different platforms that have carved out a niche for themselves on the internet. 21 Buttons with over 5 million downloads on Android happens to be one such social network that is primarily geared towards the fashion industry.

Fashion influencers can earn a commission for any purchases made via their profiles.

On 2 November 2020 vpnMentor experts discovered that the 21 Buttons app was using a misconfigured AWS bucket that has exposed the data of hundreds of influencers.

“The company was storing over 50 million pieces of data from the app on a misconfigured AWS cloud storage bucket. Buried amongst all this data, we discovered invoices for commissions paid by 21 Buttons to 100s of influencers all around Europe, based on the value of sales made through their profiles.” reads the report published by vpnMentor.

“The invoices exposed a massive amount of information about how much individual influencers earn on 21 Buttons, along with incredibly sensitive personal information.”

The misconfigured AWS bucket was containing over 50 million files at the time of the discovery, including sensitive info such as full names, addresses, financial information (i.e. bank account numbers, PayPal email addresses), photos, and videos.

The huge trove of data includes over 400 invoices that provides information on how much the various brand had paid in commissions to the influencers.

Prominent influencers impacted by the data leak are:

• Carlota Weber Mazuecos
• Freddy Cousin Brown
• Marion Caravano
• Irsa Saleem
• Danielle Metz

Data included in the S3 bucket could be used by threat actors to carry out multiple malicious activities, including phishing attacks, fraud and identity theft, stalking, and harassment.

vpnMentor researchers pointed out that data remained exposed online for more than a month since they first reported the discovery to the company. Only on 22nd December, vpnMentor received the reply of 21 Buttons, but it is unclear if it has secured the data.

At the time it is impossible to determine if anyone had access to the exposed data.

21 Buttons may also face negative backlash and other consequences as a result of this data breach, including fines and legal action, loss of customers and partners, and negative publicity.

Below the timeline of discovery:

• Date discovered: 2nd Nov. 2020
• Dates vendors contacted: 5th Nov., 12th Nov., 8th Dec. 2020
• Dates Amazon Contacted: 10th Nov., 8th Dec. 2020
• Date of Response: 22nd Dec. 2020
• Date of Action:

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, data leak)

[adrotate banner=”5″]

[adrotate banner=”13″]