Kanopy users' streaming data exposed in library leak
Is your guilty pleasure about to be exposed?
Binge watchers may have their screen-time secrets revealed — if they've been using the online video streaming service offered by libraries in the Portland metro area and across the state.
Cybersecurity bloggers and tech media sites report as many as "26 to 40 million log lines" may have leaked daily from Kanopy, which is available free of charge to cardholders in Multnomah and Washington counties, and at the Oregon City, West Linn and Lake Oswego libraries. The service is also available in Bend and to Yamhill and Marion county residents via the Chemeketa Cooperative Regional Library Service.
In a Thursday, March 21 email to Multnomah County library users, Kanopy CEO Olivia Humphrey confirmed a security update was implemented on Monday. "While our investigation is ongoing, at this stage, we believe significantly less than one percent of accounts have been affected," Humphrey wrote.
County librarians specify that only 162 accounts were compromised across all users nationwide — and those users have already been notified of the breach and required to change their password. For context, Multnomah County has about 3,000 total monthly users of Kanopy.
Security researcher Justin Paine, who first spotlighted the unsecured database of user info, believes "bad actors" could potentially identify what individuals were watching using geolocation, internet service provider and timestamp data.
Kanopy bills library districts for each video stream, so local customers don't provide the company with credit card numbers or their state ID. They do have to provide their library card number, PIN and name, however.
In a statement, the Multnomah County Library said it holds "our vendors to high standards of data security" and is working to protect patrons' privacy.
In an email to local administrators, Humphrey says there's no evidence that the exposed information has been used "maliciously."
Added the Kanopy CEO: "The only thing as important as providing our Kanopy users with rich viewing experiences is protecting the integrity and security of your data. As our community continues to grow, we will always prioritize ensuring that our platform is entirely secure, regardless of scale."