Data Leak: Private information of 14 million Key Ring users exposed
Five misconfigured Amazon Web Services (AWS) S3 buckets revealing private data of Key Ring users were discovered by vpnMentor researchers in January.
Like many similar apps, Key Ring lets users store digital copies of their loyalty cards, create a shopping list, receive weekly deals, and benefit from new loyalty programs. Some users, however, use the app to upload their personal ID and credit cards to avoid digging through their wallets.
Instead of setting the S3 buckets storing user files to “private,” Key Ring developers misconfigured the buckets, allowing 44 million images to be accessed by any individual with a browser.
“Our team was able to access this database because it was completely unsecured and unencrypted. We reached out to Key Ring, not only to let them know about the vulnerability but also to suggest ways in which they could make their system secure,” said the researchers.
The first misconfigured bucket exposed a database that included scans of retail club and loyalty card memberships, government IDs, gift cards, full credit card details (including CVV numbers), medical insurance cards, and even medical marijuana IDs.
Were you a victim of a data breach? Time to find out with Bitdefender”s Digital Identity Protection tool.
The data leak also showed CVS files containing membership detail lists of prominent North American retailers such as Footlocker, Matte and Walmart that exposed additional personal identifiable information for customers, including full names, email addresses, ZIP codes, membership ID numbers and dates of birth.
The remaining four buckets contained additional sensitive information about the user, such as home addresses, device type, IP address and encrypted passwords.
“Every file we viewed could also be downloaded and stored offline, making them completely untraceable. Criminals could then target people over and over again, for many years to come. Alternatively, they could sell the data on the dark web to criminals around the world,” the researchers said.
After receiving notice from researchers that the app”s security was compromised, Key Ring fixed the issues and secured their servers on February 20.
It remains unclear whether bad actors also discovered and accessed the database, or if they scraped any personal information of customers. However, it”s best to be on the safe side and take measures.
If you are a Key Ring user, monitor your credit card report for any suspicious activity. It”s also a good idea to pay attention to your Inbox for any phishing emails, and install a local security solution on your devices.
Since the app developers have yet to release a statement, you can also contact them for additional information.
The Holiday Guide to Tech Support: Fixing the Family Computer
November 24, 2021
Bitdefender Celebrates 20 Years of Cybersecurity Leadership
November 04, 2021
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords
October 26, 2021
What are drive-by download attacks and how do you prevent them?
October 25, 2021
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks
October 22, 2021
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals
October 20, 2021