The Personal Data of 350,000 Social Media Influencers and Users Is at Risk After a Preen.me Data Breach

Preem.me Data Breach

Despite evidence to the contrary, social media influencers are a lot more than a bunch of selfie enthusiasts with plenty of time on their hands. These people usually have a large following on social media platforms, and businesses of all shapes and sizes are more than happy to take advantage of this. The so-called influencer marketing industry is booming, and it's not difficult to see why.

On the one hand, companies can use the influencers to reach a wide audience, and for the influencers themselves, this is a pretty good way of securing a substantial income. There are even special platforms that link popular social media users to businesses that want to advertise their products. These platforms need to handle and protect people's personal data, however, and as Preen.me has proven, they sometimes fail to do it properly.

Preen.me has suffered a data breach

On June 6, a dark web forum user announced that they had managed to attack Preen.me successfully. The hacker claimed that they had stolen the personal data of about 100 thousand influencers, and they said that they had already threatened the platform to leak the data if a ransom isn't paid.

Researchers from Risk Based Security paid close attention to the situation. They had seen the hacker in action in the past and knew that the threats are most likely real. Sure enough, when the threat actor posted a sample of 250 records on PasteBin, Risk Based Security's experts confirmed that the social media links, emails, physical addresses, and phone numbers of quite a few influencers have been put at risk.

The hacker stated that they'd publish the entire database before June 8, but apparently, their plans have changed because, according to Risk Based Security, the influencers' data still hasn't been fully leaked. Instead, the hacker opted to expose the personal details of quite a few regular social media users.

The personal data of about a quarter of a million regular users gets exposed

About a week after the initial post, the threat actor published a database with a little over 253 thousand records containing Facebook names, IDs, URLs, and friends lists as well as Twitter IDs and Twitter names. This time, the data didn't belong to influencers but rather to people who had downloaded and used ByteSizedBeauty, an application developed by Preen.me. Along with social media information, these people had their home and email addresses, dates of birth, and data related to the way they look exposed.

Another database published by the same hacker left the researchers a bit confused. It also appeared to be coming from Preen.me, and it contained about 252 thousand usernames, email addresses, names, and passwords. When they took a closer look, however, Risk Based Security's experts saw that most of the passwords are either generated automatically or consist of a single character, which led them to believe that they might be looking at dummy data created for ByteSizedBeauty users who used different authentication methods. The 100 thousand social media authentication tokens found in the same database certainly support this theory.

Preen.me refuses to acknowledge the breach

The potential consequences for the affected individuals can be massive. According to the researchers' report, some of the influencers have more than 500 thousand followers, and the hackers will try everything they can to use the leaked information to compromise their social media accounts. Both influencers and regular users who were affected by the breach are at risk of sophisticated spearphishing attacks as well as numerous other scams.

Open Preen.me's website, however, and you'll be left with the impression that nothing has happened. Risk Based Security's researchers tried to notify the company immediately after they learned about the breach, but Preen.me didn't respond to their emails. Right now, more than three weeks after the breach was uncovered, the influencer marketing platform still hasn't announced anything officially.

It's been proven time and again that burying your head in the sand is not really the best way to handle a cybersecurity incident, but it looks like some companies simply refuse to learn.

June 29, 2020

Leave a Reply