Data Breach Report: Popular Digital Wallet App Key Ring Exposes 14 Million Users
FOLLOW US ON SOCIAL MEDIA
Led by Noam Rotem and Ran Locar, vpnMentor’s research team of ethical hackers, recently discovered a data leak by the popular app Key Ring, that compromised the privacy and security of their 14 million users.
Key Ring allows users to upload scans and photos of membership and loyalty cards onto a digital folder on one’s phone. However, many users also use it to store copies of IDs, driver licenses, credit cards, and more.
A misconfigured Amazon Web Services (AWS) S3 bucket owned by the company exposed these uploads and revealed their owners’ private data. During the team’s investigation, they also found four additional unsecured S3 buckets belonging to Key Ring, exposing even more sensitive data as they were publicly accessible to anyone with a web browser.
These unsecured S3 buckets were a goldmine for cybercriminals, making millions of people across North America vulnerable to various forms of attack and fraud, says the report.
The first bucket was picked up by the team’s web scanning tools in January. At the time, they were undertaking numerous investigations into other data leaks and had to complete these before they could analyze Key Ring’s S3 buckets.
Once the details of the leak were confirmed, the vpnMentor team immediately contacted Key Ring and AWS to disclose the discovery and assist in fixing the leak. The buckets were secured shortly after.
Date discovered: January 2020
Date Key Ring and AWS contacted: 18th February 2020
Date of Action: 20th February 2020
Example of Entries in the Unsecured S3 Bucket
Anybody with a web browser could have viewed over 44 million images uploaded by Key Ring users. The private personal user data included scans of:
Retail club membership and loyalty cards
NRA membership cards
Credit cards with all details exposed, incl. CVV numbers
Medical insurance cards
Medical marijuana ID cards
Key Ring also works as a marketing platform for many of North America’s most prominent retail brands. As such, the bucket also contained CSV files detailing membership lists and reports for many of these businesses. These lists contained the Personally Identifiable Information (PII) data of millions of people.
Examples of companies affected, and the number of customer entries included:
Walmart/Kleenex list: ~16,000,000
Kids Eat Free Campaign: ~64,000
Unknown marketing campaign report: ~86,000
La Madeleine Bakery chain: ~6,600
Footlocker: Unknown amount of records
In the following example from La Madeleine Bakery, numerous PII data were exposed. This list is similar to many the research team viewed:
Membership ID numbers
Dates of birth
Locations and Zip Codes
Additional S3 Buckets Discovered
While investigating Key Ring’s first S3 bucket, the research team discovered four more buckets holding even more private data. In these buckets, they found a snapshot of the company’s database, which includes highly sensitive information about its users. Although the snapshot is not new, it held millions of records that were never meant to be exposed, such as:
Device and IP address information
Encrypted passwords and the “salt” randomized data used to encrypt them
Data Breach Impact
Two aspects of this leak made it especially dangerous, says the report.
The sheer volume of files exposed, impacting millions of people across North America
The value of the exposed data to criminal hackers
Aside from the CSV files, over 44 million images of personal cards were uploaded to the database by Key Ring users. These uploads exposed their credit card details, social security numbers, and much more. Had malicious hackers discovered these buckets, the impact on Key Ring users (and the company itself) would be enormous, adds the report.
“In fact, we can’t say for certain that nobody else found these S3 buckets and downloaded the content before we notified Key Ring. If this happened, simply deleting the exposed data and securing the S3 buckets might not be enough. Hackers would still have access to all the data, stored locally, offline, and completely untraceable,” concludes the team.
For the full report, please visit the vpnMentor blog.