Skip to main content

The Kardashians’ new websites mistakenly publicized personal user info

kardashians new websites expose user data screen shot 2015 09 17 at 3 49 34 pm
Image used with permission by copyright holder

In conjunction with the release of their new apps, which allow fans to subscribe to exclusive content from the celebrities for a nominal monthly fee, the Kardashian-Jenner sisters have decided to each launch their own new websites this week. Of course, signing up as an early adopter of just about anything, there’s always the risk of something bad happening as a result.

In the case of the new Kardashian sites, you were opening a window to your personal data. But you’re not alone. In fact, the names and email addresses of about 891,340 users were exposed due to a flaw in the code which left the API open for everyone to see. This was discovered only a few hours after the apps and websites launched, with 19-year-old Web developer Alaxic Smith discovering the hole.

As the creator of his own community-driven, celebrity-focused app, Communly, Smith decided to start meddling in the sisters’ code to compare the data they were collecting to his own. Little did he know, the personal information of all their registrants would be so easily accessible, an amateur hacker’s dream come to life.

“I now had access to the first names, last name, and email addresses of the 663,270 people who signed up for Kylie Jenner’s website,” Smith wrote in a Medium post. “I then noticed that I could do the same API call across each of the websites and return the same exact data for each site. I also had the ability to create/destroy users, photos, videos, and more. It’s clear why this is a major issue, and raises the question: Should users trust not only their personal information but also payment information with these apps?”

Fortunately, Smith reached out to Whalerock Digital Media, the company behind the sites and apps who initially made him take the Medium post down while cautioning against speaking with the media about the security oversight. After that, the media agency assured Tech Crunch that the problem has been fixed and that any payments made prior to the patch have been secured.

In case you are one of those affected, the most harm you can expect is a few spam emails since no credit card information was leaked. And unless you’ve never agreed to a privacy policy without reading it, there’s a good chance you receive some of those already. In closing, while you shouldn’t expect this to be another Ashley Madison ordeal, it can always be a bit frustrating when your personal info has been outed.

Gabe Carey
Former Digital Trends Contributor
A freelancer for Digital Trends, Gabe Carey has been covering the intersection of video games and technology since he was 16…
A dangerous new jailbreak for AI chatbots was just discovered
the side of a Microsoft building

Microsoft has released more details about a troubling new generative AI jailbreak technique it has discovered, called "Skeleton Key." Using this prompt injection method, malicious users can effectively bypass a chatbot's safety guardrails, the security features that keeps ChatGPT from going full Taye.

Skeleton Key is an example of a prompt injection or prompt engineering attack. It's a multi-turn strategy designed to essentially convince an AI model to ignore its ingrained safety guardrails, "[causing] the system to violate its operators’ policies, make decisions unduly influenced by a user, or execute malicious instructions," Mark Russinovich, CTO of Microsoft Azure, wrote in the announcement.

Read more