When an influencer links up with an influencer marketplace, she probably expects to build better relationships with brands, gain access to new products and hopefully forge some profitable content partnerships. What she does not expect is for her personal information to end up on a publicly accessible database.
Unfortunately, that is just what happened last month to around 12,000 social media stars who work with Paris-based influencer marketplace Octoly. According to cyber risk company UpGuard, carelessness on the part of Octoly led to influencers' personal information — like street addresses, phone numbers, birth dates, email addresses and more — becoming accessible in a public database.
"This leak opens up the potential for identity theft, password reuse attacks and account takeovers of affected creators," UpGuard PR director Kelly Rethmeyer told Fashionista via email. "This data exposure largely undoes many of the efforts these individuals take to maintain some degree of anonymity in the public eye. This risk is heightened for this demographic because of their status as established internet personalities, opening up the threat of harassment or misuse of personal details in their real lives, a common and increasingly dangerous phenomenon online."
Octoly, which has partnered with brands like Dior, Estée Lauder, Lancôme and L'Oreal, was generating $8.6 million dollars in earned media value in 2016, according to Forbes. The firm works with influencers whose follower counts range from under 10,000 to over 200,000. And while UpGuard has made the leak known to representatives at Octoly, the cyber risk security firm doesn't believe the influencer marketplace has done enough to address the issue.
"We have no faith that Octoly has notified the affected people, and we are not sure if anyone else acquired the data," UpGuard analyst Dan O'Sullivan told Fashionista via email. "We really want to make the affected beauty/fashion personalities aware that this info was exposed."
Tweets from Octoly clients claiming they weren't informed by the firm that a breach had even occurred seem to prove O'Sullivan's point.
"This is incredibly disappointing and wrong," tweeted Priyanka, the beauty influencer behind Glamour & Giggles, after finding UpGuard's blog post about the leak. "Octoly was notified about this A MONTH AGO and us influencers are finding out our personal information had been compromised weeks later... and not even from the people at #octoly. What happened to transparency and ethics?!"
While Octoly is responding to individual users on Twitter or Instagram declaring that "we closely monitored the situation and we consider that the situation is under control," there's no word yet about whether or not Octoly has communicated to all of its clients about the data breach.
So what should users who were potentially impacted by the breach do next? According to Rethmeyer, it would be wise for users to change their Octoly account passwords, and if those passwords were re-used on other services like email, they ought to change those other passwords as well.
"Octoly creators should also monitor any activity on their personal PayPal accounts as this information was included within many of the exposed records," Rethmeyer warns. "If they would like more information about the depth of this exposure and to confirm whether or not their private details were included, they should contact Octoly."
UPDATE, Wednesday, Feb. 7, 12:34 p.m.: Octoly provided Fashionista with the following statement via email:
"We regret this incident and apologize to our community for the concern this matter has caused. We confirm that the data security incident has been resolved on our platform. We continue to closely monitor the situation. Out of caution, we have notified all members of our community and have invited them to contact us with any questions. To prevent future incidents of this kind, we are taking further extensive measures to protect our community's personal information by implementing new protocols to strengthen the security of our platform."
A representative from Octoly confirmed that the firm was made aware of the breach on Jan. 12, began responding to users who reached out with concern about the incident on Feb. 5, and notified all users about the incident today, Feb. 7.