SECURITY
SECURITY
SECURITY
Digital wallet app Key Ring exposes user data on misconfigured cloud databases
Data belonging to 14 million users of the Key Ring digital wallet app has been discovered exposed on multiple Amazon Web Services Inc. S3 buckets.
The breach was discovered and publicized today by security researchers Noam Rotem and Ran Locar at vpnMentor. The app, which is primarily designed to upload scans and photos of loyalty cards, is also used by many users to store copies of driver licenses, credit cards and more.
The exposed S3 buckets, five in total, had been misconfigured and set to public and included 44 million images. Along with credit cards and driver licenses, other images found included medical insurance cards, medical marijuana cards, government ID cards, gift cards and even National Rifle Association membership cards.
Along with its consumer app side, Key Ring also operates as a marketing platform for multiple U.S. retail brands. Also found on the buckets were CSV files detailing membership lists and reports for many of Key Ring’s corporate clients that included personally identifiable information on millions of people.
The databases were first discovered in January with the company contacted Feb. 18. The databases were taken offline Feb. 20.
Noting that they can’t say for certain that nobody else found the S3 buckets and downloaded the data before they notified Key Ring, the researchers said that “had malicious hackers discovered these buckets, the impact on Key Ring users (and the company itself) would be enormous.”
The company itself has not commented publicly on the report.
“Developers can take ‘minimum viable product’ to mean ‘does this work’ — they often forget to add security into their viability equation,” Patrick Hamilton, cybersecurity evangelist at training firm Lucy Security AG, told SiliconANGLE. “For Key Ring, it seems overly simple to say basic security hygiene means following the instructions that came with your S3 bucket.”
As for Key Ring users, Hamilton added, “there’s a minimum cost of convenience: they will now have to be hyper-vigilant with every email they receive. Phishing attacks with this level of information will easily get past firewalls.”
Image: Key Ring
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
