Paleohacks data leak exposes customer records, password reset tokens

The leak wasn’t dealt with until Amazon was contacted directly.
Written by Charlie Osborne, Contributing Writer

A popular online resource for paleo recipes and tips was the source of a data leak impacting roughly 70,000 users. 

On Thursday, researchers from vpnMentor revealed a misconfigured Amazon AWS S3 bucket as the central point of the data breach, in which the account was used to store the private data and records of users. 

Los Angeles-based Paleohacks runs a website containing recipes, meal plans, and articles on the paleolithic lifestyle, including downloadable guides, a forum, and an e-commerce store. 

The team, led by Noam Rotem, said that there was a failure to implement "basic data security protocols" on the S3 bucket, and such misconfiguration means that there were no access limits to the public. 

The bucket contained roughly 6,000 files containing the records of approximately 69,000 users. According to the researchers, the content spanned from 2015 and 2020 and included personally identifiable information (PII) including full names, email addresses, IP addresses, login timestamps, locations, dates of birth, bios, and profile pictures. 

While passwords were hashed, vpnMentor said that some entries also contained password reset tokens for subscription and membership services. These tokens were protected via the BCRYPT hashing algorithm but it could still be possible to abuse the tokens to hijack user accounts. 

The unsecured bucket was discovered on February 4. VpnMentor attempted to contact the vendor on February 7, 9, and March 17; however, there was no response. As a result, the team reached out to Amazon as a last resort.

It is not known if any unauthorized individuals have accessed the bucket. 

"Our team was able to access Paleohacks' S3 bucket because it was completely unsecured and unencrypted," the company says. "If you're a customer of Paleohacks and are concerned about how this breach might impact you, contact the company directly to determine what steps it's taking to protect your data."

Paleohacks has not responded to requests for comment at the time of publication. 

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards