Key Ring, a digital wallet application provider, is the latest victim of a data breach that exposed nearly 14 million Key Ring app users’ data. Security researchers Noam Rotem and Ran Locar from vpnMentor found a misconfigured Amazon Web Services (AWS) S3 bucket, owned by Key Ring, that holds users’ personal details. The researchers stated that most of the exposed information belongs to users across North America.
The Key Ring application enables users to upload and save photos/scan copies of membership and loyalty cards to a digital wallet in their smartphones. The exposed personal data included government IDs, NRA membership cards, medical marijuana ID cards, credit card numbers, CVV numbers, and medical insurance cards.
Other information exposed in the data leak included CSV files of membership lists for North American retailers which contained the personally identifiable information (PII) data of millions of people. It’s also discovered that over 44 million images uploaded by Key Ring users were also exposed in the incident. Companies whose customers’ data exposed in the data leak include Walmart, Foot Locker Kleenex, La Madeleine Bakery, and Mattel.
vpnMentor stated that it discovered the data leak in January 2020, and immediately contacted Key Ring officials. The database is now secured.
“We can’t confirm how long the buckets were open, but the first was picked up by our web scanning tools in January. At the time, we were undertaking numerous investigations into other data leaks and had to complete these before we could analyze Key Ring’s S3 buckets. Once the details of the leak were confirmed, we immediately contacted Key Ring and AWS to disclose the discovery and assist in fixing the leak. The buckets were secured shortly after,” the researchers said in a statement.
In a similar database leak incident, thousands of baby videos and images were being left unsecured and exposed online by a mobile app called Peekaboo Moments. Peekaboo’s app developer, Bithouse, left the Elasticsearch database open and without password protection. The database contained more than 70 million log files comprising nearly 100 GB data stored from March 2019. The exposed data includes detailed device data, links to photos and videos, and around 800,000 email addresses.
Peekaboo stated that it’s still unclear for how long the server has been exposed to the data and who might have accessed it. The data breach news comes even after Peekaboo Moments promised to safeguard the data and information it stores.
