Boomoji, an app that allowed iOS and Android users to create 3D avatars, has suffered a data leak that could have potentially compromised the personal data of more than 125 million people.
The leak was a result of two Elasticsearch – a search and analytics platform designed to manage and retrieve information – databases that were left unsecured without passwords. One based in the United States served Boomoji’s international users, while another based in Hong Kong served China.
Timeline for Startups
- September 3, 2020
According to TechCrunch, it was possible to find these databases by searching for a few specific keywords on Shodan, a search engine for open devices and databases.
In total, these databases contained the personal information of 5.3 million users around the globe. Information exposed included usernames, gender, resident country, phone type, Boomoji ID, as well as the user’s school. The database also contained geolocation data of 375,000 Boomoji users.
However, the scale of the breach was far larger than the app’s user base. Also included was the contact details, including names and phone numbers of some 125 million people that may not even be aware of the app’s existence. This is a result of users allowing Boomoji access to their contact book.
“Boomoji’s data leak did not just expose the personal details of all 5.3 million of its users, it also compromised the information of millions of contacts of the Boomoji users that unknowingly had their data shared with the app by its users,” said Jonathan Benson, acting CISO and director of product management at cybersecurity software company Balbix.
Will Boomoji face regulatory fines such as GDPR?
Earlier this year, the state passed new data privacy laws that made businesses more responsible for the way that they handle customer data. Under the new laws, consumers can potentially sue for up to $750 for any mishandling of their data, while the state attorney general can sue for $7,500 for each international violation.
However, it is the European Union’s General Data Protection Regulation that will be more concerning for the app’s owners.
The new law, passed in May this year, saw fines for the mishandling of customer data rise to €20m or 4% of global turnover. According to Stephan Chenette, co-founder and chief technology officer of cybersecurity software company AttackIQ, as the data of European customers could be found in the exposed databases, Boomoji may face European regulators.
“Boomoji’s breach joins the likes of Urban Massage, FitMetrix and Voxox as companies that have exposed massive amounts of user data user to leaving ElasticSearch databses unsecure. By allowing the data of global users to be exposed, Boomoji could potentially face sanctions under several international data privacy laws, such as GDPR,” Chenette said.
A proactive solution
The issue is, according to Chenette, that businesses are waiting for breaches to occur before they start taking cybersecurity seriously. This is a potentially costly mistake and one that is easily avoided.
The State of Technology This Week
“Unsecured databases with no password protection is a simple enough problem to fix, if the companies are continuously monitoring all assets in order to quickly identity and remediate priority issues,” said Bensen.
The problem is, most companies aren’t looking for potential problems, instead waiting for them to be uncovered by cyberattackers before they deal with the problem.
“Boomoji is another unfortunate example of how most enterprises are still reactive to security incidents rather than proactively reducing the risk and preventing breaches,” he said.
“It must be a universal understanding that attackers are constantly testing security controls to find unsecured databases and other vulnerabilities. Enterprises must take a proactive approach to cybersecurity through attack simulation to detect security flaws and gaps before the adversary, and take the necessary remediation steps to ensure security.”