[BreachExchange] Key Ring App Data Leak Exposes 44 Million Images

Destry Winant destry at riskbasedsecurity.com
Fri Apr 3 10:11:46 EDT 2020


A digital wallet app with millions of users has become the latest
organization to be caught storing customer data in unsecured Amazon
Web Services (AWS) S3 buckets.

Researchers at vpnMentor discovered five misconfigured buckets
containing the personal data of 14 million users of the Key Ring app.

The Key Ring app allows users to upload and store scans and photos of
membership and loyalty cards to a digital folder in their mobile
device. It is also commonly employed by users as a convenient way to
scan and store copies of their ID, driver's license, gift cards, and
credit cards.

The misconfigured buckets, which were set to "public" rather than
"private," were found to contain 44 million images uploaded by Key
Ring users.

Data exposed in the Key Ring data leak included government IDs, NRA
membership cards, medical marijuana ID cards, credit cards with all
the details, including the CVV numbers, and medical insurance cards.

Other information exposed in the data leak included CSV files
detailing membership lists for prominent North American retailers who
use Key Ring as a marketing platform. These lists contained the
personally identifiable information (PII) data of millions of people.

Companies whose customers' details were exposed in the leak include
Walmart, Kleenex, La Madeleine Bakery, Foot Locker, and Mattel.

VpnMentor researchers said that every Key Ring file they viewed could
also be downloaded and stored offline, making them completely

"These unsecured S3 buckets were a goldmine for cybercriminals, making
millions of people across North America vulnerable to various forms of
attack and fraud," said researchers.

"We can’t say for certain that nobody else found these S3 buckets and
downloaded the content before we notified Key Ring."

VpnMentor researchers discovered the buckets in January 2020 using
web-scanning tools.

"Once the details of the leak were confirmed, we immediately contacted
Key Ring and AWS to disclose the discovery and assist in fixing the
leak. The buckets were secured shortly after," said researchers.

Since Key Ring does not include a privacy policy or outline of its
data protection policies on the app’s website, it's impossible to
ascertain what measures they follow to protect user data.

More information about the BreachExchange mailing list