Trying to keep your Kardashian obsession under wraps?
If you’re one of the super-fans who quickly subscribed to one of the Kardashian or Jenner sisters’ newly launched websites, which arrived alongside $2.99-per-month mobile apps, then we’ve got some bad news. You may have inadvertently given yourself away.
A flaw in the design of the sister sites has reportedly exposed the personal information—including first and last names as well as email addresses—of 891,240 users.
A 19-year-old developer by the name of Alaxic Smith discovered the security issue and wrote about his findings on Medium, the publishing platform, earlier this week. (Soon after taking his results public, he removed the post. You can read an archived version of the article through this cached Google web page here.)
In a nutshell, Smith poked around the site until he eventually discovered an unsecure API—application programming interface, a kind of computer code that allows third parties to use proprietary data—containing users’ partial login information. “Initially, I thought that this was some page filled with dummy data, but as I started to look closer, I realized it wasn’t,” he wrote. “I now had access to the first names, last names, and email addresses of the 663,270 people who signed up for Kylie Jenner’s website.”
It didn’t take long for Smith to test the same trick across each website. And it worked each time.
The sites, crafted by Whalerock Industries, a software development firm, all bore the same vulnerability. So what affected thekyliejenner.com equally impacted kimkardashianwest.com, khloewithak.com, and kendallj.com. (At the time of publication, kourtneykardashian.com has yet to debut.)
Worse still? Smith discovered that he could manipulate data on each site. “I also had the ability to create/destroy users, photos, videos, and more,” he wrote.
Whalerock has since patched the computer bugs. The company released a statement about the flub to the tech news site TechCrunch on Wednesday.
Shortly after launch we were alerted that there was an open Api. It was promptly closed. Our logs indicate that the author of the blog post was able to access only a limited set of names and email addresses. Our logs further indicate no one else had access and that no passwords nor payment data of any kind was exposed. Our highest priority is the security of our customers’ data.
An interesting corollary to the security issue involves the inferred popularity of each high-profile celebrity, as gleaned from the data Smith was able to collect regarding new user enrollments. (Caveats: Fortune has no way of verifying the legitimacy of this information, let alone confirming that it is the complete.)
Earlier this summer, hackers leaked user databases from the infidelity site Ashley Madison. The data dumps threatened to expose the identities of presumably philanderous spouses, leading to extortion schemes, potential divorces, even alleged suicides. To be sure, the Kardashian-Jenner website gaffe is a far less grave situation.
The Kim Kardashian West website’s tagline is “unlock my world.” Guess it didn’t take much to do so.
Keep up with the Kardashians on Fortune.com. Watch the video below. Or head over to People.com, one of our own sister sites, to find out everything you ever wanted to know about Kim, Kylie, Khloé, Kendall, and Kourtney.
Subscribe to Data Sheet, Fortune’s daily newsletter on the business of technology.