Vistaprint. Everyone knows it and probably almost everyone knows somebody who has used the firm to design or print business cards, brochures, or other business-related stationery or marketing-related materials. Recently I was on Vistaprint’s site to create a new logo for ctrlbox.com. To my unpleasant surprise, i discovered that the preview of my logo displayed in my cart of the item was hosted on an insecure amazon s3 bucket that allowed screening of more than 638,000 files. Many of the files were default logomaker images, but many were also logos made by users of Vistaprint logomaker service. The logomaker service appears to be the only service on Vistaprint that is sharing files from an s3 bucket. All other services are made using another third-party web service that generates the previews and content to your chosen style. piece this is not a huge risk to personal security or even a leak of any personal data beyond some test or saved logos from an online service, it is yet another reminder that no affair how big a corporation you may be, mistakes can always happen with mottle services as they are used more and more frequently these days. My first attempt to notify Vistaprint on December 28 was not wholly successful. i contacted them over Twitter, but after explaining to them what the problem was, their twitter team told me whom to contact for any problems with my account. I had to explain again that this was not a problem with just my account but for everyone who used the logomaker service. Their reply to that was to assure me that they would forward my notification. They also thanked me for alert them to the issue. By 9 am that same day, the problem was fixed: the s3 bucketful was not exposing its contents and the website cart was functioning fine. in addition to notifying Vistaprint, I also contacted Cimpress, the parent company for Vistaprint. in the process of trying to bump out how to contact them, I discovered that they hold 2 other domains on the same IP accost as their .com domain. Neither of these other domains have a proper SSL certificate, and both redirect to the .com demesne if you o.k. the notification of a failed SSL certificate. That is obviously not good. This relatively minor incident may provide readers wondering “Where are the millions of multitude affected?” That’s not what my reports on this site are about. We are not looking for FUD-type headlines, but to quietly and consistently help entities secure their data. in Vistaprint’s case, this is their secondment leak or exposure in i month. in November, Oliver Hough tried to notify them of a leak involving personal information. He had attempted contact via Twitter, but the way he went about it may not have helped Vistaprint’s twitter team really realise his notification. When TechCrunch then contacted them (and ultimately reported on it), Vistaprint responded. I have re-contacted vistaprint to see if they will confirm that my story led to this being closed by its pretty clear by the time frame that, that is the case.