As security researchers Noam Rotem and Ran Locar revealed today, the open database carried almost 900,000 files on plastic surgery patients, likely from across the globe. “These included highly sensitive images, video files, and paperwork relating to plastic surgery, dermatological treatments, and consultations,” the researchers wrote in a post on vpnMentor, a VPN review site.

Rotem and Locar quickly sourced the database back to the French company NextMotion, which offers an “all-in-one” software platform to help plastic surgery clinics manage their patients. The company’s clients include more than 170 clinics in 35 countries. But for some reason, NextMotion stored all the collected information in an Amazon Web Services S3 online storage bucket with no password protection.

Whether anyone else found the open database is unclear. But in the wrong hands, the exposed information could have been abused to commit blackmail against the affected patients.

“Many more images were not just sensitive but also very graphic. Our team viewed close-up photos of women’s exposed breasts and genitals, including images taken immediately following a surgical procedure,” the researchers wrote. “Such photos being released into the public domain would be devastating for the women affected.”

The researchers uncovered the exposed database last month as part of a”web mapping project.” They then reported their findings to NextMotion, which has since secured the database.

“We immediately took corrective steps and this same company formally guaranteed that the security flaw had completely disappeared,” NextMotion CEO Emmanuel Elard wrote in a statement on the company’s website. Why the database was left unsecure is unknown. Elard told PCMag: "We are still investigating internally about what could happen to lead until this such data exposure. At this moment we have started a deep analysis and audit regarding our security processes with a certified company."