2 min read

Data Leak: Private information of 14 million Key Ring users exposed

Alina BÎZGĂ

April 06, 2020

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Data Leak: Private information of 14 million Key Ring users exposed

Five misconfigured Amazon Web Services (AWS) S3 buckets revealing private data of Key Ring users were discovered by vpnMentor researchers in January.

Like many similar apps, Key Ring lets users store digital copies of their loyalty cards, create a shopping list, receive weekly deals, and benefit from new loyalty programs. Some users, however, use the app to upload their personal ID and credit cards to avoid digging through their wallets.

What happened?

Instead of setting the S3 buckets storing user files to “private,” Key Ring developers misconfigured the buckets, allowing 44 million images to be accessed by any individual with a browser.

“Our team was able to access this database because it was completely unsecured and unencrypted. We reached out to Key Ring, not only to let them know about the vulnerability but also to suggest ways in which they could make their system secure,” said the researchers.

The first misconfigured bucket exposed a database that included scans of retail club and loyalty card memberships, government IDs, gift cards, full credit card details (including CVV numbers), medical insurance cards, and even medical marijuana IDs.

Were you a victim of a data breach? Time to find out with Bitdefender”s Digital Identity Protection tool.

The data leak also showed CVS files containing membership detail lists of prominent North American retailers such as Footlocker, Matte and Walmart that exposed additional personal identifiable information for customers, including full names, email addresses, ZIP codes, membership ID numbers and dates of birth.

The remaining four buckets contained additional sensitive information about the user, such as home addresses, device type, IP address and encrypted passwords.

“Every file we viewed could also be downloaded and stored offline, making them completely untraceable. Criminals could then target people over and over again, for many years to come. Alternatively, they could sell the data on the dark web to criminals around the world,” the researchers said.

What now?

After receiving notice from researchers that the app”s security was compromised, Key Ring fixed the issues and secured their servers on February 20.

It remains unclear whether bad actors also discovered and accessed the database, or if they scraped any personal information of customers. However, it”s best to be on the safe side and take measures.

If you are a Key Ring user, monitor your credit card report for any suspicious activity. It”s also a good idea to pay attention to your Inbox for any phishing emails, and install a local security solution on your devices.

Since the app developers have yet to release a statement, you can also contact them for additional information.

tags


Author



Right now

Top posts

The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read
Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

Criminals Can't Wait to Add Your IoT Device to Their DDoS Networks

October 22, 2021

2 min read
Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

Six in 10 Consumers Faced a Cyber Threat in 2021, New Bitdefender Study Reveals

October 20, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Phishers Targeting Victims with ‘Free’ PCR Test for Omicron COVID-19 Variant Phishers Targeting Victims with ‘Free’ PCR Test for Omicron COVID-19 Variant
Filip TRUȚĂ

December 03, 2021

2 min read
WordPress Plugin Vulnerability Affected More than 80,000 Websites; Patch Is Now Out WordPress Plugin Vulnerability Affected More than 80,000 Websites; Patch Is Now Out
Silviu STAHIE

December 03, 2021

1 min read
Man charged with Ubiquiti data breach and extortion was employee assigned to investigate hack Man charged with Ubiquiti data breach and extortion was employee assigned to investigate hack
Graham CLULEY

December 03, 2021

2 min read