IndieFlix is a US-based entertainment company offering a subscription-based online video streaming service that mainly specializes in independent titles, including feature films, shorts, and documentaries.
The data bucket discovered by CyberNews contains over 90,000 files related to the IndieFlix streaming service. This includes scans of confidential motion picture acquisition agreements, tax ID requests that include filmmaker social security numbers and employer identification numbers, as well as relatively detailed contact information of thousands of film professionals. Additionally, the bucket hosts thousands of video files of short films, movie clips, and trailers that can be accessed and downloaded by anyone with a direct link to the files.
After CyberNews contacted IndieFlix and Amazon Web Services, the bucket has been secured and is no longer accessible.
The unsecured Amazon S3 bucket contains 93,867 publicly accessible files, including:
The vast majority of the files stored in the unsecured bucket are film thumbnail pictures and various promotional materials. The motion picture acquisition agreements, tax ID requests, and contract addendum scans all date between 2013 and 2016.
Example of motion picture acquisition agreement:
Example of tax ID request:
Example of filmmaker contact records:
During our correspondence with IndieFlix, CEO Scilla Andreen indicated that the confidential documents stored in the bucket were uploaded to the server by mistake. “We have been storing these types of documents in a secure private drive, not in AWS. The documents in the S3 bucket were an old archive that was mistakenly uploaded,” says Andreen.
Storing anything on a publicly accessible server without any kind of authentication process in place is dangerous, which is a lesson many organizations still tend to learn the hard way. Seeing small, socially-minded companies like IndieFlix fail to secure their data is particularly heartbreaking.
At the time of writing this report, it is unclear if anyone had access to the unsecured bucket. While IndieFlix believes that the bucket has been publicly accessible since May 2015, the company has not found any suspicious activity or unauthorized access attempts to any of its accounts during the period.
According to Scilla Andreen, the IndieFlix administrative team uses “password management software and multi-factor authentication (where available) to secure [their] accounts” and, in order to increase their efforts to secure their customer and client data, IndieFlix assured CyberNews that the streaming service will be “immediately dedicating time and resources towards an information security audit.”
With that being said, the files were stored on a publicly accessible Amazon S3 server. Accessing and downloading files hosted on public servers requires almost no technical knowledge, which means that there is a possibility that the data contained in this bucket may have been accessed by bad actors for malicious purposes.
Even though most of the personally identifiable data stored by IndieFlix on the unsecured Amazon server is not deeply sensitive, a single social security number contained in a tax ID request can fetch about $4 – a relatively good price – on the dark web, putting the total black market value of the SSNs found in the bucket at up to $13,000.
Acquiring someone’s social security number or employer identification number is one of the first steps toward committing identity theft. By adding more personal details like names, emails, phone numbers, addresses – some of which are present in the contact file stored in this bucket – as well as acquiring scans of other documents like passports and driver’s licenses on the black market, cybercriminals can, in the worst-case scenario, take out loans (for example, coronavirus relief loans), credit cards, or other paid services in the victims’ names.
Even the humble email address can be enough for bad actors to run spamming campaigns and send phishing emails to the unsuspecting recipient.
Finally, attackers can use the data to blackmail filmmakers or their agents by threatening to publicize the confidential content found in the motion picture acquisition agreements.
For film industry professionals and organizations that have signed agreements with IndieFlix or given the company their contact details between 2013 and 2016, we recommend doing the following in case of any suspicious activity or fraud:
We discovered the unsecured bucket on July 15 and immediately notified IndieFlix about the leak. However, we received no response from the company. For that reason, we reached out to Amazon on July 22 in order to help secure the server. They contacted the owner and the database was closed on the same day.
About the author Edvardas Mikalauskas:
Edvardas Mikalauskas is a writer for CyberNews.com. Ed’s interests include all things tech and cybersecurity. He’s been featured in Forbes, TechRadar, Reason, TechRepublic, and more. You can reach him via email or find him on Twitter chuckling at jokes posted by parody accounts.
(SecurityAffairs – hacking,IndieFlix )