

Data belonging to 14 million users of the Key Ring digital wallet app has been discovered exposed on multiple Amazon Web Services Inc. S3 buckets.
The breach was discovered and publicized today by security researchers Noam Rotem and Ran Locar at vpnMentor. The app, which is primarily designed to upload scans and photos of loyalty cards, is also used by many users to store copies of driver licenses, credit cards and more.
The exposed S3 buckets, five in total, had been misconfigured and set to public and included 44 million images. Along with credit cards and driver licenses, other images found included medical insurance cards, medical marijuana cards, government ID cards, gift cards and even National Rifle Association membership cards.
Along with its consumer app side, Key Ring also operates as a marketing platform for multiple U.S. retail brands. Also found on the buckets were CSV files detailing membership lists and reports for many of Key Ring’s corporate clients that included personally identifiable information on millions of people.
The databases were first discovered in January with the company contacted Feb. 18. The databases were taken offline Feb. 20.
Noting that they can’t say for certain that nobody else found the S3 buckets and downloaded the data before they notified Key Ring, the researchers said that “had malicious hackers discovered these buckets, the impact on Key Ring users (and the company itself) would be enormous.”
The company itself has not commented publicly on the report.
“Developers can take ‘minimum viable product’ to mean ‘does this work’ — they often forget to add security into their viability equation,” Patrick Hamilton, cybersecurity evangelist at training firm Lucy Security AG, told SiliconANGLE. “For Key Ring, it seems overly simple to say basic security hygiene means following the instructions that came with your S3 bucket.”
As for Key Ring users, Hamilton added, “there’s a minimum cost of convenience: they will now have to be hyper-vigilant with every email they receive. Phishing attacks with this level of information will easily get past firewalls.”
THANK YOU