Thousands of families using the Peekaboo Moments app may have been affected.
Data breaches are the new normal and mostly center around personal data of adults being exposed. Perhaps, it is their payment information or other confidential info such as one’s password. However, just recently, we’ve come across something shocking.
An app by the name of “Peekaboo Moments” known for storing photos and videos of millions of babies worldwide has been found exposing its Elasticsearch database hosted on Alibaba Cloud.
The severity of the breach can be determined by the fact that the exposed database contains more than 70 million log files dating from March 2019. These files also include email addresses, location & device data.
See: Cybercriminals Selling Social Security Numbers of Infants on Dark Web
An example of a record from the exposed database:
Dan Ehrlich from Twelve Security who discovered this breach has estimated a minimum of 800,000 email addresses to be part of the database. As Sarah Coble from Infosecurity Magazine reports, although the app had the purpose of enabling parents to record key milestones for their babies such as their length and weight, now ironically, they will also be able to record “their baby’s first-ever data breach.”
Despite all of this, we’re yet to see any response from Bithouse Inc, the developers of the app. Since it claims to take user security very seriously, this is a serious stain on its reputation which would have an impact considering it has over 1 million downloads on the Google Play Store with a solid 4.5+ rating.
Currently, it is not clear as to the time for which it has been left exposed and we’re open to further developments from the Peekaboo team.
See: Over 50,000 baby monitors can be hacked but its vendor is AWOL
You may be thinking, this app fills in all the checkmarks you need to look for in a secure app such as a big number of downloads and authentic user reviews, how do we remain safe then? Well, it seems harsh but you can rest knowing that everything can be hacked, every single thing and hence, you can only avoid uploading highly sensitive data on the internet as a precaution at best.
This, however, is not the first time when an Elasticsearch database was found leaking sensitive data of unsuspecting users. In fact, lately, there has been an increase in data breaches involving Elasticsearch servers. For instance, in 2018, an Elasticsearch database owned by Exactis leaked personal details of over 340 million users on the Internet.
Last month, another Elasticsearch database containing names and phone numbers of 267 million Facebook users was left exposed online. What’s worse is that researchers found 4,000 ElasticSearch servers hosting PoS malware while a malware attack against exposed Elasticsearch databases was observed turning them into DDoS botnet.