The famous Key Ring digital wallet application recently revealed information from millions of its users, reports vpnMentor.
Key Ring is an app that creates the user’s phone digital wallet and allows them to upload membership and loyalty card scans and photos, but many also use it to store copies of IDs, driver licenses, credit cards, and so on.
The company was formed in 2009 and said 14 million cards were deposited last year. In the European Union, the organization no longer represents customers because it does not comply with GDPR.
vpnMentor finds that a client pool of malfunctioning Amazon Web Services (AWS) S3 exposed user uploads. Four other unsecured S3 buckets from the Key Ring were also identified, each with more confidential details.
“These unsecured S3 buckets were a goldmine for cybercriminals, making millions of people across North America vulnerable to various forms of attack and fraud,” vpnMentor notes.
Standard storage systems for AWS, buckets for S3 have robust security features. Still, misconfigurations could expose them to anyone with a web browser, and this was also the case for Key Ring.
Although it is not known for how long the buckets of the business have remained open, vpnMentor reveals that their scanning tools were first used in January.
Since they reported the leak, on February 18, vpnMentor’s researchers contacted Key Ring and AWS, and soon since (February 20), they recovered the buckets.
More than 44 million photos of Key Ring users included in AWS S3 bin, including scans of government IDs, shopping club and reward cards, NRA membership cards, gift cards, uncovered credit cars (including CVVs), medical insurance cards, medicinal marijuana ID cards … etc.
The seal also included CSV membership list database files and records for some of North America’s leading retail brands that use Key Ring as a tool for marketing. The bucket thus released information that could be personally recognized (PII) by millions of people.
Walmart / Kleenex (around 16,000,000 users), La Madeleine Bakery chain (~6,600), Footlocker, and Mattel (~2,000) were the affected businesses.
PII shows the full names, email addresses, membership ID numbers, birth dates and locations, and zip codes in La Madeleine Bakery’s file.
Four additional buckets found by vpnMentor contained even more data, including a company database snapshot that provides highly sensitive information on their users, such as emails, home addresses, devices, and IP address information. They hashed passwords and cryptographic salt for them.
“In total, five S3 buckets belonging to Key Ring were exposed, all containing valuable, private information that could have serious security implications for millions of people,” vpnMentor notes.