[BreachExchange] Covve Contacts App Data Breach Exposes 23 Million Emails Addresses and Other Private Details

[Destry Winant]

https://securityboulevard.com/2020/05/covve-contacts-app-data-breach-exposes-23-million-emails-addresses-and-other-private-details/

An open Elasticsearch database belonging to a company named Covve
leaked online, impacting around 23 million email addresses and other
personal details.

Troy Hunt, the researcher behind the Have I Been Pwned portal, wrote a
while back about a data breach he dubbed “db8151dd” after one of the
unique global identifiers used inside the database. It’s a 90GB trove
of personal information that has millions of entries, with personal
information. The weirdest part was that nobody knew where it came
from.

Now, the source of that data breach was identified as coming from
Covve, which has a popular contacts app, with CRM features, business
cards, and more. Covve recently acknowledged a security incident.

“Data belonging to approximately 90,000 users was compromised by a 3rd
party who gained unauthorized access to a legacy system before it was
decommissioned in early January,” said Covve on their blog. “This
system related to the now-retired Covve web app. It appears at this
stage that contact data such as name and contact details were
accessed, that the data cannot be directly associated with specific
users, and no user passwords were compromised.”

The biggest problem with this data breach is that it affects people
who had nothing to do with the app. For example, if someone had your
phone number and email address and used the Covve app, your data was
leaked just the same.

And since the Covve app scraped the Internet for details on contacts
people added into the app, the size of the breach becomes all the more
evident. Unfortunately, users can’t do a whole lot about this problem,
especially since the breach affects mostly people who have nothing to
do with the app.