Fashion app leaks data from top European influencers

[German]The social e-commerce app 21 Buttons has just had a major privacy incident. Security researchers found a cloud storage used by the app that was publicly accessible and contained personal and financial data of 21 Buttons users.


Who is 21 Buttons?

Based in Barcelona, Spain, 21 Buttons mixes online shopping with social media. Users post photos of their favorite outfits with links to the brands they wear. Their followers can then buy their favorite pieces directly from the corresponding brands in the app. Users of the 21 Buttons Rewards program receive a commission on all purchases made through their profiles.

21 Buttons has quickly become popular in Europe, with an estimated 2 million monthly active users in 2018 and partnerships with the biggest brands and influencers on the continent. That same year, 21 Buttons secured $17 million in private investment to expand into the U.S. Since launch, 21 Buttons has raised US$30 million in funding.

The Data Breach

The information has been send a few days ago by vpnMentor, who documented the incident in this blog post. Their team of security researchers came across a misconfigured Amazon bucket that contained personal and financial data of 21 Buttons users. The company stored over 50 million pieces of data from the app in a misconfigured AWS cloud storage bucket.

For example, the databases contained invoices with personal data and financial information of users (including well-known European influencers), in addition to social media posts and profiles. The invoices reveal information such as the amounts influencers earn on the platform. This is enriched with sensitive personal data of these people such as their full names, country of residence, zip code, bank details, national ID number and Paypal email address.

The data must have been publicly accessible between August 2016 and October 2020. Had these records fallen into the hands of criminal hackers, the consequences for those affected would have been profound. Security researchers found the open database on November 2, 2020, and contacted both the company and Amazon to inform them of the misconfiguration.
Dates on which vendors were contacted: Nov. 5, Nov. 12, Dec. 8, 2020
Dates Amazon was contacted: Nov. 10, Dec. 8, 2020
Date of response: Dec. 22, 2020


After several attempts to contact 21 Buttons (see timelines above), security researchers finally received a response from their customer support on Dec. 22, 2020 (over a month and a half since the first contact attempt). 21 Buttons stated that they would "immediately forward the message to the appropriate department" who would contact us after reviewing our information. At the time of publishing this post, the security researchers are still waiting to be contacted. Am curious to see what will become of the case – because this is something for the data protection supervisory authority, since DSGVO relevant.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *