Paleohacks User Records Leaked in Data Breach

If you are interested in following a paleo diet and eating like our hunter-gatherer ancestors, chances are you have at some point used the website Paleohacks. Paleohacks has been topping paleo site charts compiled by online outlets for a while and it has become the largest portal for paleo recipes and lifestyle. Sadly, it has also become the victim of a data leak that has affected roughly 70,000 of its users.

The data leak was revealed by researchers working with cyber security firm vpnMentor in late April. They discovered a very common source for the leak - a poorly configured Amazon web services S3 bucket that was used as the main point of entry. The bucket was used to store Paleohacks user data and records.

vpnMentor's researchers blamed the issue on what they called failing to observe "basic data security" measures and protocols. This effectively means the information stored on the Amazon bucket was completely accessible not just to resourceful hackers, but to anyone with an active Internet connection.

The data of nearly 70,000 Paleohacks users was stored in the Amazon server, kept in about 6 thousand files. The data was collected over the course of five years and included what is classified as personally identifiable information. The user records included names, emails, IP addresses, login locations, birth dates and even profile images.

The leak also included some users' password reset tokens and even though the tokens themselves were encrypted, they could still potentially be abused for account takeover.

As with many data leaks, the faulty bucket was discovered months ago, in early February. vpnMentor were unsuccessful in their multiple attempts to contact Paleohacks in February and March and ultimately the security company contacted Amazon directly, notifying them of the leaky bucket.

There is no hard evidence that the data was accessed by unauthorized third parties up to this point.

Paleohacks has also not responded to ZDNet's attempts to contact them for any further comments on the issue.

As usual, if you are a Paleohacks user, it would be wise to immediately change your login information and hope for the best. Data obtained in similar leaks could be used by bad actors in multiple ways, including attempted fraud using stolen personal information.

Data leaks like this one happen disconcertingly often and keep showing everyone how little control you have over your personal data once you submit it to a service or a website you want to use. This is why it is always a good idea to keep the accounts and services you use to a bare minimum, to minimize the chance of similar leaks affecting your personal information.

April 29, 2021

Leave a Reply