- Cybernews found Tokee’s unprotected MongoDB exposing ~1.2M users’ data
- Leak included names, phone numbers, avatars, device tokens, IDs, activity logs, and account status; chat logs were encrypted
- Deucetek secured the database after disclosure; no evidence of malicious access, but users warned of phishing risks
A messaging app called Tokee kept an unprotected database with plenty of sensitive information, exposing over a million customers to whoever knew where to look.
Security researchers from Cybernews discovered a non-password-protected MongoDB instance which contained user display names, phone numbers stored as numeric values, profile avatars, device tokens used for push notifications, user IDs, timestamps for account creation and update, “last seen” activity indicators, and account status flags (for example, premium or non-premium).
A deeper investigation determined the database belonged to a company called Deucetek, a US-based software firm developing the Tokee messaging app.
Locking the archives
Tokee isn’t as popular as WhatsApp, or Telegram, but it still has a solid user base. On the Android platform alone it has more than a million downloads (Apple’s app store does not display download numbers) – but Cybernews says that the leak exposed around 1.2 million users, “which likely represents the vast majority of the app’s user base”, it said.
Chat logs were also stored in the same database, but these were encrypted and as such are not at immediate risk. Should someone come along with enough computing power, the encryption could be cracked, but right now it’s not exactly cost-effective. Still, there is plenty of non-encrypted information in the database to cause serious harm:
“Although user chat messages stored in the same infrastructure appear to be encrypted using password-based OpenSSL encryption, the exposed personal data alone presents significant privacy, security, and regulatory risks,” the Cybernews team said.
Following responsible disclosure, Deucetek locked the database down. The researchers said there was no evidence that the data was discovered by malicious actors in the past, and the data appears not to have made it into the dark web. Therefore, users are advised to be careful with incoming messages, especially those claiming to come from Tokee, or Deucetek.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.
https://cdn.mos.cms.futurecdn.net/GcQXTy4NBXKeoop4V5WQnQ-970-80.jpg
Source link
