[BreachExchange] Exercise tech firm Kinomap leaks 40GB database with 42M records

Destry Winant destry at riskbasedsecurity.com
Thu Apr 23 10:12:27 EDT 2020


Kinomap did not respond to researchers whatsoever and left the database
exposed to public access.

Another day, another data breach – This time, researchers have discovered a
new trove of personal data exposed online and putting millions of
unsuspected users at risk of online scams and privacy breaches.

Discovered by researchers at vpnMentor; the database belonged to Kinomap, a
France based exercise technology company with millions of active
subscribers. The company allows users to records their exercise and
training video and share with other users. More information on how the
company works is available on its Wikipedia page.

However, this time, the company has exposed 40GB worth of data containing
42 million personal records of users across the globe. These records,
according to vpnMentor’s blog post, contained Personally Identifiable
Information (PII) data including:

   - Gender
   - Country
   - Full names
   - Usernames
   - Profile links
   - Home country
   - Date of joining
   - Email addresses
   - Exercise timestamps

The worrisome part of this incident, other than the data leak, is the
attitude of  Kinomap. For instance, vpnMentor’s research team discovered
the database on 16th March 2020 and after identifying its owner, informed
the company twice on 18th March 2020, and 30th March 2020 yet Kinomap never
responded to the researchers neither did they protect the database.

On 12th April 2020 though, the data was protected from public access which
vpnMentor’s team believes had happened due to interference from the French
Commission Nationale de l’Informatique et des Libertés (CNIL – National
Commission for Data Protection). The CNIL was contacted by researchers on
31st March 2020.

A similar attitude was seen recently from “World’s most secure online
backup” provider SOS Online Backup who exposed 135 million user records and
never bothered to respond to researchers.

Although, these records didn’t contain passwords or payment-related data,
in some cases, all cybercriminals look for is PII information which can be
used for identity theft and other scams.

It is, however, unclear if the database was accessed by a third-party with
malicious intent. If it did, one can expect the database to be dumped to
hacker forums and dark web marketplaces. For example, just two days ago a
hacker was found selling 267 million Facebook records which happened to be
the same database that was leaked in December 2019 on a misconfigured
Elasticsearch server.

Nevertheless, it’s bad news for Kinomap due to the fact that other than
Canada, Japan, South Korea, and the United States, most of the exposed data
belonged to users in European countries including Belgium, Finland,
Hungary, Germany, Portugal, France, the United Kingdom. This suggests that
a hefty GDPR fine might be coming its way very soon.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20200423/e487be9b/attachment.html>

More information about the BreachExchange mailing list