30,000+ Italian sales agents’ personal data, IDs leaked by MLM company that distributes wellness products

We recently uncovered an unsecured Amazon Simple Storage Service (S3) bucket that contains quite 36,000 documents, including scans of national IDs, credit cards, and insurance cards. The database also contains sales representative enrollment contracts that include personally identifiable information like full names, addresses, tax identification numbers, and signatures of mostly Italian citizens.

The database appears to belong to Ariix Italia, the recently launched Italian branch of Ariix, a US-based multi-level marketing company that advertises and sells health and wellness products.

On May 28, we tried to succeed in bent Ariix regarding the leak but received no response. We then reported the incident to Amazon and that they were ready to secure the S3 bucket. As of June 5, the Ariix Italia data bucket has been closed and is not any longer accessible.

Most of the contracts within the S3 bucket appear to be Ariix sales representative enrollment contracts that contain the subsequent personally identifiable information:

Full names

Dates of birth

Tax identification numbers

Street addresses

Email addresses

Phone numbers

Signatures

Who owns the bucket?

The unsecured S3 bucket belongs to Ariix, a multi-level marketing company based in Utah, us . Dubbed “The Opportunity Company,” Ariix offers a good sort of health and wellness products starting from skincare products like Nucerity and Reviive to nutritional supplements like Nutrifii to Ariix-branded notebooks that are sold online also as by the company’s sales representatives.

Ariix operates in additional than 20 different countries including us , Canada, Australia, Japan, the uk , and therefore the European Union . Recently, Ariix has entered the Italian market, where the first owners of the overwhelming majority of the documents stored within the unsecured bucket appear to originate from.

Who had access?

At the instant, it's unclear if any bad actors have accessed the Ariix Italia S3 data bucket. With that said, the confirmed data goes back a minimum of several months. During this era, the bucket could are accessed by anyone, as long as they knew where to seem.

Therefore, as a precaution, Ariix Italia customers and sales representatives who have provided the corporate with their personal information should verify that their identities haven't been wont to commit fraud or other illegal activities.

What’s the impact?

All of the document scans found within the unprotected Ariix data bucket are deeply sensitive, and most of them are quite enough for an attacker to place up the victims’ identities purchasable on the black markets of the dark web or just steal their money from credit cards.

Once acquired, the personally identifiable data that belongs to quite 30,000 people whose documents are stored within the bucket are often used to:

Mount convincing phishing attacks

Launch targeted phone and email spam campaigns

Take out loans and credit cards in victims’ names

Steal money

Buy illicit goods with victims’ credit cards

Use the victims’ health insurance

Brute-force online account passwords

What to do if you have been affected?

Apart from activating fraud alert on their bank accounts, customers and sales representatives who have provided Ariix Italia with document scans or signed any contracts with the corporate should do the following just in case of any suspicious activity of fraud:

Report identity theft to law enforcement

Notify their creditors, banks and other financial services of possible fraud or MasterCard theft as soon as possible

Review and frequently monitor recent activities on their online accounts for suspicious emails, messages, and requests

Replace their national IDs, credit cards, and medical insurance cards

Disclosure

We identified Ariix because the owner of the database and notified the corporate about the leak on May 28, 2020. However, we received no answer.

On June 1, we reported the unsecured bucket to Amazon. After providing the AWS Trust & Safety team with more information on June 5, they were ready to disable unauthorized access to the bucket on an equivalent day.