Getting Passports of Clients of CGTrader, to prove that this compan...

This summer I found potential vulnerability in CGTrader Marketplace platform. And tried to remove my data to keep in safe myself. Unfortunately it's not possible, then I started the conversation with support. They are absolutely bozos, support stuff refuse to delete my data and begun to assure me that their security is all right. When I began to explain how a third party can gain access to my data - they just stopped conversation.

It's chat with support below:

Aleksandr Dikov: Documents are stored on the same server as the product images. OK, Can I delete the image of a document, as long as the situation is not resolved?
CGTrader: You can delete it yourself after it is not needed
Aleksandr Dikov: How? I don't see any link or buttons near my scan links in billing profile.
CGTrader: Oh, my mistake
Aleksandr Dikov: We misunderstood each other from the beginning?
CGTrader: No, I understand your concern, but images will stay safe with us
Aleksandr Dikov: Of course, I'm not an expert on network security, but I believe that possible to bruteforce a couple of ID + filename as a minimum . Given that we know that there are stored passports, filenames can be quite predictable. Can I somehow delete the uploaded images, and reload them with hash names. At least they were not able to get such a simple way that I have described?
*** END OF CONVERSATION BY SUPPORT MANAGER***

Then I wrote to the owner and someone with name Mantas Bliudzius answered:

They had added some salts and hashes to the link, in admin panel, but it change nothing, you can just ignore it. And I realized that time of words has gone, we need a clear demonstration and publicity, to affect on the management of the company! I should to say that I don't professional hacker, and next tools can be used by everyone. We need any text editor (or anything else) that could generate links with increment numbers (in my case I just use JavaScript in browser (!!!)) and any program that can save files from list of links (in my case used WinHTTrack Website Copier).

Well, generate links:

https://cgtfiles.s3.amazonaws.com/uploads/attachments/0000/passport.jpg
https://cgtfiles.s3.amazonaws.com/uploads/attachments/0001/passport.jpg
https://cgtfiles.s3.amazonaws.com/uploads/attachments/0002/passport.jpg
...

Range from 0000 to 9999 was used in my case. Then just start downloading process in your favorite program.

YES! That's all! In this case 12 users was compromised! ONLY WITH ONE SUPPOSED FILENAME (passport.jpg)!!! But you could to imagine what could be founded with different keywords and more complex scripts.

I encourage everyone to repost this article to affect the management of the company! All clients shouldn't upload any private data to this Marketplace! I'm sure, that we could demand safety for our data together!

Getting Passports of Clients of CGTrader, to prove that this company don't keeps your private data in safe!!!

I encourage everyone to repost this article to affect the management of the company! All clients shouldn't upload any private data to this Marketplace! I'm sure, that we could demand safety for our data together!