A database that belongs to “NextMotion” has been breached, with around 2.3 million sets of patient before and after photos compromised. NextMotion is a French plastic surgery web application firm that enables medical practitioners to enhance patient experience by allowing them to see what they would look like after cosmetic procedures. The database leak has put confidential information about countless individuals at risk, including pictures that portray people’s faces, breasts, and genitalia.
The database breach has exposed the vulnerable data on an Elasticsearch server publicly available without a password or a firewall. The breach was reported to NextMotion by the security researcher Anurag Sen in March 2021, however, it is still unknown how long the data was exposed before it was discovered. According to Sen, the company failed to respond to his aforementioned message, and the firm only secured the database on May 5, after Sen contacted the media. NextMotion notified the French authorities of the leak and has launched a cyber forensic investigation into the incident. However, it is unclear whether the French authorities have made a statement regarding the situation.
