Information Security incidents now affect even babies. Due to an unprotected Elasticsearch database, millions of videos and images of babies stored by the Peekaboo Moments mobile app are available for sale on deep web hacking forums. The database was not adequately protected by Bithouse Inc., the app’s developer. The report was filed by Dan Ehrlich, director of information security firm Twelve Security.
In his report, the researcher mentions that at
the time of the find, the Peekaboo Moments database contained at least 70
million log files (equivalent to more than 100GB of information). This
information includes a history of activity on the platform, such as logins, data
loading, and more.
Regarding the personal information exposed, the
information security report indicates that compromised data includes details
about the device where the app was installed
to media content (photos and videos) hosted on Alibaba Cloud
The investigator claims that nearly 900,000 email addresses were exposed during the incident.
The threat doesn’t end there, as the app also transmits sensitive data that, in a complex scenario, could affect babies. Peekaboo Moments has a growth tracker, which allows users to know the height and weight of their babies, and in many cases, the records include their date of birth. “They’re only a few months old and these babies have already suffered their first data breach“, Ehrlich adds.
Although its developers claim that Peekaboo
Moments is a safe space to safeguard photos and videos of babies, the incident
shows that the company has made basic information security errors, exposing
stored data and information.
In its Google Play Store profile, the company boasts of storing its users’ content securely: “We understand how important these moments are to our users. Your data privacy is one of our priorities, so your photos and videos will be stored in a safe space, out of reach of someone outside your family or friends.”
Researchers are still unclear how long the
database was exposed, and it is also unknown whether someone accessed or
managed to extract the information. In addition, despite multiple attempts,
researchers have failed to contact Jason Liu, CEO of Bithouse Inc, besides multiple
emails have also been sent to the company, apparently established in China, an
effort that has also resulted meaningless.
Troy Hunt, information security expert and
founder of the Have I Been Pwned platform, mentions that, despite the fact that
these kinds of incidents often occur, the fact that this database stored
information about users’ babies could expose affected to new attack variants
using the information and content exposed.
Another risk in using this app is related to a
feature to export content from Facebook to Peekaboo Moments, which implies that
Peekaboo Moments API keys for the social network are also exposed. This
information could allow an attacker to access the User’s Facebook content of
the Peekaboo app, Ehrlich says.
According to information from the International
Institute of Cyber Security (IICS), the app was launched in 2012 and has been
downloaded more than a million times from the Google Play Store. Peekaboo
Moments is a free service, although the company generates profits by offering
additional storage per scan starting at $9 each quarter. The company’s official
position on the incident is still expected.