The Kardashian family has been the subject of a hack that revealed subscriber details of more than 600,000 people.
Luckily for them, it was accessed by a developer who told the company behind the websites about it via a blog post rather than a malicious attacker who wanted to ruin the reputation of the Kardashian family.
The flaw was first discovered on Kylie Jenner's website, but 19-year-old developer and CEO of communly.com Alaxic Smith then discovered the same API was used on other sites run by the family.
He managed to find the first and last names of 600,000 users on Kylie's website and was able to access the same information on Kim, Kendall and Khloe's websites too.
TechCrunch revealed he was also able to, "create and destroy users, photos, and videos," making it a very powerful flaw for malicious hackers who may want to cause damage.
Whalerock Industries, the company running the group of websites said it took down the API as soon as it was made aware of the problem.
"Shortly after launch, we were alerted that there was an open API. It was promptly closed. Our logs indicate that the author of the blog post was able to access only a limited set of names and email addresses," it said in a statement.
The websites don't handle payments of any kind, so other sensitive information such as card details or bank account information was not available to Smith.
The Kardashian websites launched alongside apps just a few days ago and almost 900,000 people signed up to the service, which costs $2.99 a month.
Mark James, security expert at IT security provider ESET, said: "This is what can happen when you take a massive, potential money making scenario and apply an urgency to get it off the ground without thoroughly looking into the security aspect of how you're going to protect all the vulnerable peoples data you will collect.
"They receive the monetary benefits so they should be involved in making sure that the right people look after it and as much money that's needed is ploughed into making it secure. We will see more and more celebrities utilising this avenue for exposure and with that comes the risk of more people trying to get access to that data, some may not make it public until after they have used and abused it."
-
Bigger salaries, more burnout: Is the CISO role in crisis?In-depth CISOs are more stressed than ever before – but why is this and what can be done?
-
Cheap cyber crime kits can be bought on the dark web for less than $25News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Azure AD vulnerability gave attackers backdoor authentication controlNews Secureworks shared its findings with Microsoft in 2022, and the company has since issued changes to improve audit logs
-
Using APIs to rewire supply chains in 2023In-depth Supply chains are on the mend after breaking down recently, and APIs are helping stakeholders get a better handle on data
-
Better APIs for better businessWhitepaper Realities of API security
-
Hackers hijack Namecheap's email platform to phish its customer baseNews Customers received scam emails made to look like notices from delivery firm DHL and crypto wallet MetaMask
-
The IT Pro Podcast: The problem with APIsIT Pro Podcast With API attacks on the rise, knowing your attack surface is crucial
-
Podcast transcript: The problem with APIsIT Pro Podcast Read the full transcript for this episode of the IT Pro Podcast
-
Magic quadrant for application performance monitoring and observabilityWhitepaper Enabling continuous updating of diverse & dynamic application environments
-
Twitter API keys found leaked in over 3,200 apps, raising concerns for linked accountsNews Business and verified Twitter accounts linked to affected apps are at risk of takeover, use in malicious campaigns
