V Shred data leak exposes PII, sensitive photos of fitness customers and trainers

V Shred defended the public status of its open bucket and only partially solved the problem.
Written by Charlie Osborne, Contributing Writer

Fitness brand V Shred exposed the personally identifiable information (PII) of over 99,000 customers and trainers -- and has yet to fully resolve the leaking database responsible. 

Las Vegas-based V Shred is a company that offers fitness plans for women and men, with a focus on fast workouts, nutrition plans, and supplements. The firm says it has clients in 119 countries, 12 million unique visitors to its website per month, and over 40,000 subscribers to its university program. 

On Thursday, vpnMentor's research team, led by Noam Rotem and Ran Locar, made the data leak public, in which an unsecured AWS S3 bucket exposed the PII of at least 99,000 individuals. 

See also: Japan investigates potential leak of prototype missile data in Mitsubishi hack

The bucket, discovered on May 14, originally contained 1.3 million files, totaling 606GB of data. Among the files were three .CSV files of particular note; one that appeared to be a lead generation list, another a client email list, and a trainer list. 

Combined, the files contained names, home addresses, email addresses, dates of birth, some Social Security numbers, social media accounts details, usernames and passwords, age ranges, genders, and citizenship status, among other data points. 

The .CSV file of the most importance was 180MB in size and contained the PII of tens of thousands of people. 

ZDNet verified the open bucket and at the time of writing, many resources remain open and accessible, ranging from company materials to diet guides, workout plans, and user photos.

CNET: FTC warns of COVID-19 scam claiming to give funds for bank info

CSV files appearing to contain the information relating to both trainers and clients remain exposed. IDs, first and last names, email addresses, genders, and client email addresses are included. 


In addition, the open bucket contains before-and-after photos of members, some of which could be deemed sensitive. 

Due to the company materials stored in the bucket, it was not difficult to ascertain that V Shred was the owner. Both V Shred and AWS were notified of the misconfigured bucket on May 18 and 20, respectively. 

V Shred responded to the research team via Amazon customer service on June 1. In a conversation between the company and researchers, a V Shred team member denied there was an issue with the exposure of PII. 

TechRepublic: How to protect your remote desktop environment from brute force attacks

At first, the team member said that the bucket was only used to store web assets, CSS, and media files, adding that if the resources were made non-public, members would not be able to download their meal or training plans. 

In addition, V Shred said that in order to access such content, a link would have to be shared and/or a user would need to be logged in.  

However, the researchers explained that the bucket is open for anonymous users to browse, including each separate directory listing. 

On June 18, the main .CSV file containing substantial PII was removed, but the rest of the bucket is still public and accessible. 

"V Shred is a young company and appears to be run by a small team," VPNmentor noted. "However, it's still responsible for protecting the people using its products and signing up for its services. By not doing so, V Shred has jeopardized the privacy and security of the people exposed and the future of the company itself."

V Shred has not responded to repeated requests for comment at the time of writing. 

The biggest hacks, data breaches of 2020 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards