Key Ring, creator of a digital wallet app used by 14 million people across North America, has exposed 44 million IDs, charge cards, loyalty cards, gift cards and membership cards to the open internet, researchers say.
The Key Ring app allows users to upload scans and photos of various physical cards into a digital folder on a userâs phone. While Key Ring is primarily designed for storing membership cards for loyalty programs, users also store more sensitive cards on the app. According to the research team at vpnMentor, it found 44 million scans exposed in a misconfigured cloud database that included: Government IDs, retail club membership and loyalty cards, NRA membership cards, gift cards, credit cards with all details exposed (including CVV numbers), medical insurance cards and medical marijuana ID cards, among others.
vpnMentor said that it found a total of five misconfigured Amazon Web Services (AWS) S3 cloud databases owned by the company. These could have revealed millions of these uploads to anyone with a web browser, thanks to a lack of password-protection on the buckets, the company said. Also, every file could also be downloaded and stored offline.
Threatpost reached out to Key Ringâs media team multiple times over the last few days for a comment or reaction to the findings, with no response â and will update this post with any additional information should the company eventually respond.
Five Databases of Information
According to the research, launched Thursday and shared with Threatpost ahead of publication, vpnMentor came across indicators of an initial exposed bucket in January, which contained the scanned card information. However, that wasnât the extent of the exposed data.
One of the scans in the database. Click to enlarge.
The researchers also said that they found older, brand-specific loyalty-card lists sorted by retail company, including CSV databases detailing various reports on customers of Walmart, Footlocker and other big brands. vpnMentor said that the lists contained personally identifiable information (PII) data for millions, including full names, emails, membership ID numbers, dates of birth, physical addresses and ZIP codes. The firm also said that the data set stretched back in some cases to 2014.
Examples of the number of people exposed in these lists include 16 million for Walmart, 64,000 for the Kids Eat Free Campaign, 6,600 for La Madeleine and 2,000 for Mattel, among others, it said.
Also, as the firm was looking into the situation, it said that it found four additional unsecured S3 buckets belonging to Key Ring, which the company said contained even more sensitive data.
vpnMentor said that these additional four storage units each contained a different snapshot of Key Ringâs internal database of users, containing emails, home addresses, device and IP address info, encrypted passwords and the âsaltâ randomized data used to encrypt them and more.
Disclosure and Exposure
Once the details of the leak were confirmed, the vpnMentor team said that it contacted Key Ring and AWS to disclose the discovery on February 18 â and the buckets were secured two days later.
However, Key Ring itself never responded to the firmâs findings.
âWe reached out to them but didnât get any reply,â Noam Rotem, lead of vpnMentorâs research team, told Threatpost. âAt the same time, we reached out to Amazon, who (we believe) reached out to them too in order to secure the data. As we havenât been in touch with them, we donât know if theyâre going to notify their users.â
The research team is unsure of how long the data was exposed prior to the discovery.
âIn fact, we canât say for certain that nobody else found these S3 buckets and downloaded the content before we notified Key Ring,â according to the analysis shared with Threatpost. âIf this happened, simply deleting the exposed data and securing the S3 buckets might not be enough. Hackers would still have access to all the data, stored locally, offline and completely untraceable.â
vpnMentor said that the team did not reach out to the third parties (Walmart, et al) about the data exposure: âIt doesnât seem related to data sharing, as data sharing is supposed to be related to the PII provided by their customers, and not the cards [that individuals] scan and save in their wallet,â Rotem said.
Potential Fallout
Key Ringâs databases, if theyâve been stolen, could facilitate massive fraud and identity theft schemes targeting millions of people in America and Canada, according to the analysis.
Any cybercriminal that accessed the databases could sell the information on the criminal underground, or use it themselves, vpnMentor pointed out. Potential attacks include identity theft; the ability to file fraudulent tax returns and claim refunds in victimsâ names; credit-card fraud and online shopping fraud; account takeovers; stealing and using accrued loyalty points; and even âloan stackingâ where criminals take out multiple loans in a personâs name, from automated lenders, with numerous payouts made before the victim becomes aware. Plus, the wealth of information opens victims up to phishing and convincing email scams.
âWhatâs most notable about this incident is that people would trust companies to secure their data, and hence share with them everything, including their credit cards (both sides), without fearing that this could be exploited,â Rotem told Threatpost. âNeedless to list the risks related to a clear credit-card picture leaking.â
vpnMentor pointed out that the company itself could also be in danger if the database has been downloaded by criminal hackers.
âAside from losing users and partners, Key Ring would have been vulnerable to legal action, fines and intense scrutiny from government data privacy groups,â the research noted. âKey Ring is already no longer operating in the EU due to the inability to comply with GDPR. With California enacting its data privacy law in January 2020 â the CCPA â Key Ring could still have faced investigation and fines from the stateâs legislative bodies. Given the scale and seriousness of this leak, the impact on the companyâs finances, reputation and market share would be unmeasurable.â
The companyâs privacy policy was last updated in March 2015 and states: âWe may encrypt certain sensitive information using Secure Socket Layer (SSL) technology to ensure that your Personally Identifiable Information is safe as it is transmitted to us.â
It adds: âHowever, no data transmission can be guaranteed to be 100 percent secure. As a result, while we employ commercially reasonable security measures to protect data and seek to partner with companies that do the same, we cannot guarantee the security of any information transmitted to or from the Website or via the Key Ring Service, and are not responsible for the actions of any third parties that may receive any such information.â
Cloud misconfigurations are all too common, with businesses both large and small inadvertently exposing usersâ personal data. In fact, a recent Unit 42 report found that more than half (60 percent) of breaches occur in the public cloud due to misconfiguration.
Rotem told Threatpost that âweâre not here to judge how these companies are managing their customersâ data.â However, he added that âtoo many companies are failing at protecting their dataâŠthe way they react to such leaks, fix and respond is what would distinguish a company that cares about its security and customers, from a company that doesnât.â
Threatpost also reached out to Key Ring for more details on its disclosure policies and how it has handled this incident.
Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join_Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. Weâll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, âAre passwords overrated?â in this sponsored webinar. _
attendee.gotowebinar.com/register/7732731543372035596?source=art
attendee.gotowebinar.com/register/7732731543372035596?source=art
attendee.gotowebinar.com/register/7732731543372035596?source=art
attendee.gotowebinar.com/register/7732731543372035596?source=art
attendee.gotowebinar.com/register/7732731543372035596?source=art
attendee.gotowebinar.com/register/7732731543372035596?source=art
keyringapp.com/privacy/
media.threatpost.com/wp-content/uploads/sites/103/2020/03/27113655/key-ring-snip.png
threatpost.com/californias-tough-new-privacy-law-and-its-biggest-challenges/151682/
threatpost.com/cloud-misconfig-devsecops/153921/
threatpost.com/google-fine-privacy-gdpr/141055/
threatpost.com/newsletter-sign/
www.vpnmentor.com/blog/report-keyring-leak/