Plastic surgery photos and records exposed in unsecured database

2025-04-28 09:17:51admin

Plastic surgery is more mainstream than it's ever been, but that doesn't mean patients are dying to have their cosmetic laundry aired in public.

Security researchers at vpnMentor discovered that about 900,000 images and invoices from cosmetic surgery imaging company NextMotion were sitting on an unsecured database in cloud storage. The exposed files included detailed invoices of procedures, as well as explicit images and 360-degree videos of patients' faces and bodies, including breasts and genitalia.

The report (via CNET) found that the breach could affect thousands of patients whose doctors use technology and software provided by NextMotion at 170 clinics around the world. The researchers discovered the vulnerable database during their "web mapping" project, which scans the internet and cloud for weaknesses.

"Our team was able to access this database because it was completely unsecured and unencrypted," the report reads.

Mashable Light Speed Want more out-of-this world tech, space and science stories? Sign up for Mashable's weekly Light Speed newsletter. By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy. Thanks for signing up!

That's contrary to NextMotion's claims on its website that "all your data is 100% secure." The culprit of the breach was a NextMotion Amazon Web Services (AWS) S3 bucket, a kind of digital cloud storage technology akin to a file folder. S3 buckets have been linked again and again to exposed databases of customer information when companies fail to secure them properly.

The researchers contacted NextMotion when they discovered the vulnerability and it has since been secured.

"We immediately took corrective steps and this same company formally guaranteed that the security flaw had completely disappeared," NextMotion writes on its website.

Cases of bungled cloud storage seem a dime a dozen these days, but the common scenario — of a company not taking the appropriate steps to obscure and secure its online databases — takes on a new and disturbing urgency when the content contains medical records and, frankly, nude photos. The images contained identifying information of patients, as well as before-and-after photos of procedures.

Even if everyone from Bella Hadid to your coworker Jill in marketing is getting a Botox brow lift, they don't necessarily want the world to know.