InfoSecBulletin Cybersecurity for mankind
A Google Cloud Storage bucket linked to Alice’s Table, a Shark Tank contestant offering virtual floral arrangement classes, has leaked personal data of over 83,000 customers. Cybernews and Cyble researchers found a misconfigured cloud bucket while investigating.
Researchers found that the Google bucket belonged to Alice’s Table, a company founded by Alice Lewis in 2015 and now part of the 1-800-Flowers family of brands.
CVSS 9.6: IBM QRadar & Cloud Pak Security Flaws Exposed
ALERT
Thousands of IP addresses compromised nationwide: CIRT warn
New Android Malware ‘Crocodilus’ Targets Banks in 8 Countries
Qualcomm Patches 3 Zero-Days Used in Targeted Android Attacks
Critical RCE Flaw Patched in Roundcube Webmail
Hacker claim Leak of Deloitte Source Code & GitHub Credentials
CISA Issued Guidance for SIEM and SOAR Implementation
Linux flaws enable password hash theft via core dumps in Ubuntu, RHEL, Fedora
Australia enacts mandatory ransomware payment reporting
Why Govt Demands Foreign CCTV Firms to Submit Source Code?
Alice’s Table received a $250,000 investment in 2017 after successfully pitching on ABC’s Shark Tank during Season 9. Mark Cuban and Sara Blakely were the investors.
In addition to floral arrangements, the platform’s “curated live streaming experiences” also include culinary and cocktail workshops. The Google cloud bucket leaked many files with personal information, like emails and home addresses, of clients in the US.
Cybernews has contacted the United States Computer Emergency Readiness Team (US-CERT) regarding the incident and the ticket has been closed on their end.
Neither Alice’s Table nor 1-800-Flowers have responded to Cybernews’ request for comment at the time of publishing.
What data was exposed?
37,349 files were found in the leaking Google Cloud bucket, including 10,183 XLSX and CSV files containing PII. The exposed data included:
Full names
Email addresses
Home addresses
Order details
The leak primarily consisted of personal email addresses, but a “significant portion” were professional email accounts, according to Cybernews researchers. These accounts were connected to companies such as BCG, Pfizer, PwC, Charles Schwab, and government employees.
Business emails are usually seen as semi-confidential and may not have highly classified or private information, but they could still be used to access sensitive information or carry out targeted attacks.
“If business email addresses are leaked, it can lead to various risks such as phishing attacks, spamming, identity theft, and unauthorized access to confidential information,” Cybernews researchers said.
Bad actors could also exploit victims’ personal data for online searches that could further their financial and personal agendas, a tactic commonly referred to as “doxxing.”
The leak of home addresses adds another dimension to the security concerns, exposing victims to potential physical incursions.
Source: Cybernews, Cyble
