Security incident notice: file storage misconfiguration

3 min read Last updated: February 9, 2026
Security incident notice: file storage misconfiguration

On January 28, 2026, we became aware of a security issue involving a misconfiguration in our file storage. This misconfiguration could have made some user-uploaded files accessible without authentication.

We want to thank CyberMapSec—and specifically Mohsin Ali (Mohsin.ali@cybermapsec.com)—for discovering the issue and reporting it professionally.

Summary of what happened

A portion of our file storage was misconfigured in a way that could have allowed unauthorized parties to access stored files by directly requesting them outside the application’s intended access controls.

This issue affected file storage permissions, not the way Postoria authenticates users in the app.

What files could have been exposed

The following types of files may have been exposed:

  • Files uploaded for public posting, including:
    • scheduled posts
    • posts not yet published
    • files later deleted
  • Files uploaded for restricted posting, such as content intended for:
    • unlisted or private YouTube uploads
    • private or restricted TikTok uploads
  • Other files users may have uploaded to Postoria

If you uploaded content that you consider sensitive, please treat it as potentially exposed, even though we have no confirmation that it was accessed.

Timeline

  • Prior to January 28, 2026: The misconfiguration existed and may have allowed unauthorized access to user-uploaded files.
  • January 28, 2026: We were notified of the issue.
  • Within ~1 hour: We reconfigured the file storage to significantly reduce the risk of successful unauthorized access.
  • February 9, 2026: We fully implemented a plan to move files to a fully secured file storage setup.

As of February 9, 2026, our file storage is secured.

Actions we took

Immediate mitigation (within ~1 hour)

After receiving the report, we took steps to significantly reduce the risk of unauthorized access:

  • Reconfigured the affected file storage permissions within approximately one hour
  • Began an expedited remediation plan to move files to a fully secured storage setup

Follow-up remediation

  • Completed the migration to a fully secured file storage setup on February 9, 2026
  • Reviewed access patterns and logs for indicators of unusual activity

Status of compromise

At this time:

  • We did not find evidence of unusual activity consistent with mass downloading of files in our logs.
  • However, we cannot rule out access with absolute certainty during the exposure window.

We are sharing this notice because transparency matters, and because this issue could involve user-uploaded content.

What this did not involve

The affected storage contained only user-uploaded media files and did not include user credentials, social network access tokens, or other non-file account data.

Our commitment going forward

We take security seriously and are committed to continuously improving our security practices and protecting user data.

If you have questions or concerns, contact us at contact@postoria.io.

For more information, see our Privacy Policy.