Report: VEED.io Exposes Private User Videos in Data Leak
vpnMentor’s research team, led by renowned analysts Noam Rotem and Ran Locar, recently discovered a security breach in a database belonging to video editing platform VEED.io.
London-based VEED gives users the tools to upload videos and optimize them for sharing on social media. With over 50,000 worldwide users, their customer base includes creatives, influencers, corporate businesses, and regular social media users.
The breached database compromised the privacy of every VEED user, exposing all content uploaded to the platform in its raw, unedited form. This included private videos of a very sensitive nature.
Timeline of Discovery and Owner Reaction
Sometimes, the extent of a data breach and the owner of the database are obvious, and the issue quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what’s at stake or who’s leaking the data.
Understanding a breach and its potential impact takes careful attention and time. Our team needs to be thorough and make sure everything we find is correct and true. Occasionally, the affected parties deny the facts, disregarding our research or playing down its impact.
Fortunately, this time around the team quickly identified VEED as the owners of the data. Hosted on Amazon Web Services (AWS), the database was an S3 Bucket – a common form of storage on AWS.
We contacted the company to alert them of the vulnerability, however, it was many weeks before we received a reply. In the meantime, we also contacted AWS directly to notify them of the issue. Once AWS reached out to VEED, the breach was closed.
- Date discovered: 12/10
- Date vendors contacted: 15/10
- Date of contact with AWS: 27/10
- Date of reply from AWS: 29/10
- Date of Action: Approx. 05/11
- Date of Reply from VEED: 21/11/19
Example of Entries in the Database
The AWS bucket contained 10,000s of videos in both raw and edited forms. These had been uploaded by VEED users across the globe and included marketing material, family videos, and even home-made pornography.
It’s also possible some of the videos included various forms of illegal content.
Our researchers were able to access and view, in theory, any content uploaded to VEED, regardless of whether it was made for private or public viewing.
Data Breach Impact
This data breach represents a serious lapse in basic security protocol for VEED. By exposing their entire database of user-generated content, they risked the privacy of their customers, as well as their entire business.
Data security is a growing concern for all internet users regardless of what website, tool, or platform they’re using. Businesses using VEED for marketing and promotional purposes will be concerned their private content was open to the public before they released it, potentially leading to loss of clients or corporate legal action.
Similarly, if some videos include illegal content, this could make VEED liable for legal action.
For individual users, the exposed database compromised them personally. It was unclear which video files were meant for private use and which were intended for uploading to social media.
Take, for example, the pornographic material.
The creators of these videos would be justifiably uncomfortable with them being accessible to the public. This is more serious than just potentially embarrassing: private, intimate, home-made pornography is a valuable tool in blackmail and extortion.
Criminals and malicious hackers could these videos against their creators to target them in various ways, with ruinous consequences, personally and financially.
Advice from the Experts
VEED could have easily avoided this leak if they had taken some basic security measures to protect the S3 Bucket. Any company can replicate the following steps, no matter its size:
- Secure your servers.
- Implement proper access rules.
- Never leave a system that doesn’t require authentication open to the internet.
For a more in-depth guide on how to protect your business, check out our guide to securing your website and online database from hackers.
For VEED Users
Unlike most data leaks we discover and analyze, changing your account login details won’t make a difference here. The leak exposed video content uploaded to VEED without requiring a user’s login details to access it.
For this reason, it’s up to VEED to close the breach and protect the videos from outside parties.
If you’re a VEED user and concerned about how this breach might impact you, contact them and ask what steps they’re taking.
To learn about data vulnerabilities in general and how to protect yours from leaking, read our complete guide to online privacy.
It shows you the many ways cybercriminals target internet users, and the steps you can take to stay safe.
How and Why We Discovered the Breach
The vpnMentor research team discovered the breach in VEED’s databases as part of a huge web mapping project. Our hackers use port scanning to examine particular IP blocks and test open holes in systems for weaknesses. They examine each hole for data being leaked.
When they find a data breach, they use expert techniques to verify the database’s identity. We then alert the company to the breach. If possible, we will also alert those affected by the breach.
VEED was using an open S3 Bucket database on AWS, which they had not secured properly. While AWS provides the tools to secure the buckets, making them inaccessible to outside parties, it’s up to their customers to use them.
We were able to access VEED’s S3 Bucket because it was completely unsecured and unencrypted. Using a web browser, the team could access all files hosted on the database.
The purpose of this web mapping project is to help make the internet safer for all users.
As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. This is especially true when the company’s data breach contains such sensitive and damaging information.
These ethics also mean we carry a responsibility to the public. VEED users must be aware of a data breach that impacts them.
About Us and Previous Reports
vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.
We recently discovered a huge data breach impacting 80 million US households. We also revealed that a breach in Biostar 2 compromised the biometric data of over 1 million people. You may also want to read our VPN Leak Report and Data Privacy Stats Report.
[Publication date: 20.11.2019]