More Than 12,000 Influencers, Brands Targeted in Latest Data Breach

It happened to Target, Forever 21, Neiman Marcus, TJX Companies, and Yahoo. Their systems were infiltrated by hackers and the data that they had stored, including consumers’ names, addresses, payment information, and in some cases, social security numbers, were stolen. Now, influencers and high-end beauty and fashion brands, are the target, as Octoly, a Paris-based influencer agency, has confirmed that it has experienced a data breach, putting more than 12,000 prominent social media influencers from YouTube, Instagram, and Twitter at risk.

According to researchers at security firm UpGuard, as reported by Fashionista, the influencers at issue - who have remained unnamed by the media - were working alongside “household names like Dior, Estée Lauder, and Lancôme,” as well as  LVMH-owned Make Up For Ever, Clarins, and Yves Saint Laurent. 

Aside from the thousands of high-profile influencers and big-name brands connected with the breach, one of the most striking elements at play, according to UpGuard, is how the breach was handled. In short: Octoly reportedly did little to re-secure the at-risk information for nearly a month.

On January 4th, UpGaurd’s Director of Cyber Risk Research Chris Vickery discovered an Amazon Web Services S3 cloud storage bucket at the subdomain “Octoly,” which indicated the hack. According to the security firm, it notified Octoly of the breach via email on January 4th. As noted by Gizmodo, “The following day, a direct message was sent to the company on Twitter. UpGuard called Octoly’s corporate office twice over the course of a week without receiving a response. The data, meanwhile, remained accessible to anyone with the know-how to locate it—namely, hackers trolling the internet for random unsecured Amazon servers.”

Octoly’s co-founder, Fabien Guiraud, reached out to UpGuard on January 14th, at which point the company ensured that many of hacked records were secured. Nonetheless, “the client database containing a wealth of personally identifiable information remained accessible online,” per Gizmodo.

The company’s “inability to secure this data for weeks after being notified by UpGuard, despite repeated follow-up communication and instruction on how to do so, is an unfortunate illustration of how not to respond to news of a data exposure,” says UpGuard cofounder and co-CEO Mike Baukes.

Taken in full, UpGuard states that this data exposure provides a number of lessons. Primarily, “the ability to swiftly and decisively secure data in the event of a cyber incident is not just necessary to avoid financial and reputational damage critical to any business’s long-term fortunes. Nor is it necessary simply to protect blameless third-party enterprises of the sort exposed in this breach that merely wanted to better attract customers.”

Ultimately, UpGuard argues that “cyber resilience is necessary to protect the basic wellbeing and security of the individuals supplying their personal information to enterprises - the disclosure of which may increasingly be a dangerous outcome.”

More Than Financial Risk

In addition to the financial risk for the breached company (and those impacted), such hacks present risks that extend beyond money. “The greatest risk presented in this exposure is human, not financial,” UpGuard stated in blog post on Monday. “The leak of the personal details of over 12,000 internet users with a degree of fame sufficient for major brands to seek their favor could have grave consequences."

"With online harassment endemic, particularly for women, the exposure of their phone numbers, addresses, and full names could have tragic consequences," per UpGuard. "Recent cyberstalking incidents affecting well-known YouTube and Instagram personalities of the sort recruited by Octoly show that such dangers are hardly implausible.”

As for what brands and influencers with Octoly accounts should do, UpGuard PR director Kelly Rethmeyer told Fashionista that "it would be wise for users to change their Octoly account passwords, and if those passwords were re-used on other services like email, they should change those other passwords, as well."