We recently learned that a S3 bucket containing member-uploaded images and avatars was misconfigured. From May 4-11th we restricted all access to the bucket, including temporarily restricting the access of our registered users thereby blocking anyone from viewing the images. We have also engaged a team of third-party experts to investigate. We expect that investigation to be complete soon.
We have restored user access to images on our site and enabled the functionality to view and edit avatar images, images with posts, and images in private messages in the community discussion forums.
These are the measures we have taken:
We reconfigured the Amazon Web Services (AWS) S3 bucket, our cloud storage container, where images are stored to tighten access and role permissions per AWS best practices.
We removed the metadata associated with all historical and new uploaded images. This metadata is standard information that specifies the formats for images, sound, and ancillary tags used by digital cameras and commonly displayed on digital images.
As an additional layer of security, we also implemented pre-signed tokens that allow only the community website (or approved Breastcancer.org staff) to load or download images.
For the time being, some images may not render properly within posts, private messages, and your avatar. We are working to resolve this over time. To help us in this effort, please contact us if you do not see your avatar or images being displayed.
If you would like to have your posts containing images removed, you can do so by deleting your post or private message in the community. If you wish to remove your member profile photo, you can do so under Settings within your profile.
Dear Community Members:
During the last few days, much has been written about Breastcancer.org and a misconfigured s3 bucket. Unfortunately, there have been conflicting reports about this situation. We want to be sure that our community has the correct information, so in addition to the emails we have sent, we have separated fact from fiction below.
The information shared on our site is stored in "buckets" — like file cabinets — in the cloud. We recently learned that a bucket containing member-uploaded images and avatars was configured in such a way that someone could theoretically access it and look at the images inside. When we learned of this, we restricted all access to the bucket, including temporarily restricting the access of our registered users thereby blocking anyone from viewing the images. We also engaged a team of third-party experts to investigate. We expect that investigation to be complete soon. We are finalizing steps to prevent public access to the bucket and expect our registered users to regain access to the images today.
We want to emphasize that any statements that Breastcancer.org has experienced a "data breach" are inaccurate. As are reports that Breastcancer.org was sharing medical records; we did not and do not share any medical records or patient information without your consent. While someone could have viewed the images stored in the bucket one-by-one and determined information such as the longitude and latitude coordinates from when those images were taken, we do not have any information to suggest that anyone did so.
We apologize for the inconvenience and concern that this situation has caused some of you. The security of your information remains a priority for us.
We recently became aware of a potential issue related to images uploaded by community members to the Breastcancer.org website. While we continue to look into the potential issue, we have temporarily disabled member-uploaded images.
We are working with our privacy and legal team to investigate the issue further. We are notifying members by email (subject line Notice: Image access sent on 5/4/2022) and posting updates here.
Site updates will be published every two weeks.Learn more
— Last updated on May 19, 2022, 5:03 PM