DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Vistaprint Logomaker files viewable due to insecure Amazon s3 bucket

Posted on December 28, 2019 by Lee J

Vistaprint. Everyone knows it and probably almost everyone knows somebody who has used the firm to design or print business cards, brochures, or other business-related stationery or marketing-related materials.

Recently I was on Vistaprint’s site to create a new logo for ctrlbox.com.  To my unpleasant surprise, I discovered that the preview of my logo displayed in my cart of the item was hosted on an insecure Amazon s3 bucket that allowed viewing of more than 638,000 files.

Many of the files were default logomaker images, but many were also logos made by users of Vistaprint logomaker service. The logomaker service appears to be the only service on Vistaprint that is sharing files from an s3 bucket. All other services are made using another third-party web service that generates the previews and content to your chosen style.

While this is not a huge risk to personal security or even a leak of any personal data beyond some test or saved logos from an online service, it is yet another reminder that no matter how big a corporation you may be, mistakes can always happen with cloud services as they are used more and more frequently these days.

The bucket at  https://dst-logomaker.s3.amazonaws.com/ was closed within hours of my reporting it to them.

My first attempt to notify Vistaprint on December 28 was not wholly successful. I contacted them over Twitter, but after explaining to them what the problem was, their Twitter team told me whom to contact for any problems with my account. I had to explain again that this was not a problem with just my account but for everyone who used the logomaker service.  Their reply to that was to assure me that they would forward my notification. They also thanked me for alerting them to the issue.

By 9 am that same day, the problem was fixed:  the s3 bucket was not exposing its contents and the website cart was functioning fine.

In addition to notifying Vistaprint, I also contacted Cimpress, the parent company for Vistaprint. In the process of trying to find out how to contact them, I discovered that they have two other domains on the same IP address as their .com domain. Neither of these other domains have a proper SSL certificate, and both redirect to the .com domain if you approve the notification of a failed SSL certificate.  That is obviously not good.

This relatively minor incident may leave readers wondering “Where are the millions of people affected?” That’s not what my reports on this site are about. We are not looking for FUD-type headlines, but to quietly and consistently help entities secure their data.  In Vistaprint’s case, this is their second leak or exposure in one month. In November, Oliver Hough tried to notify them of a leak involving personal information. He had attempted contact via Twitter, but the way he went about it may not have helped Vistaprint’s Twitter team really understand his notification.  When TechCrunch then contacted them (and ultimately reported on it), Vistaprint responded.

I have re-contacted Vistaprint to see if they would confirm that my report led to this being closed, but even without their reply, it seems  pretty clear from the time frame that this is the case.

Research and reporting by Lee J.  

 

 

 

Category: Breach IncidentsBusiness SectorCommentaries and AnalysesExposure

Post navigation

← IL: Former Lurie Children’s employee wrongfully accessed patient data, hospital says
Ransomware at IT Services Provider Synoptek →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Operation ENDGAME strikes again: the ransomware kill chain broken at its source
  • Mysterious Database of 184 Million Records Exposes Vast Array of Login Credentials
  • Mysterious hacking group Careto was run by the Spanish government, sources say
  • 16 Defendants Federally Charged in Connection with DanaBot Malware Scheme That Infected Computers Worldwide
  • Russian national and leader of Qakbot malware conspiracy indicted in long-running global ransomware scheme
  • Texas Doctor Who Falsely Diagnosed Patients as Part of Insurance Fraud Scheme Sentenced to 10 Years’ Imprisonment
  • VanHelsing ransomware builder leaked on hacking forum
  • Hack of Opexus Was at Root of Massive Federal Data Breach
  • ‘Deep concern’ for domestic abuse survivors as cybercriminals expected to publish confidential abuse survivors’ addresses
  • Western intelligence agencies unite to expose Russian hacking campaign against logistics and tech firms

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Widow of slain Saudi journalist can’t pursue surveillance claims against Israeli spyware firm
  • Researchers Scrape 2 Billion Discord Messages and Publish Them Online
  • GDPR is cracking: Brussels rewrites its prized privacy law
  • Telegram Gave Authorities Data on More than 20,000 Users
  • Police secretly monitored New Orleans with facial recognition cameras
  • Cocospy stalkerware apps go offline after data breach
  • Drugmaker Regeneron to acquire 23andMe out of bankruptcy

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.