Nowadays it becomes quite common and frequent to see how apps and companies are suffering cyber attacks, which resulting massive data breaches.
Recently, a team of security researchers at Check Point security company has reported a massive data breach in which data of 100 million users were exposed. This data breach happened due to a series of bad security configurations of third-party services in the cloud.
According to the security report from Checkpoint research, in total 23 Android applications were compromised, and the threat actors have found the compromised data in the unprotected real-time databases.
The most shocking thing about all these 23 Android apps is their downloads, as each of them has download counts ranging from 10,000 to 10 million.
The cybersecurity researchers have claimed that in this massive data breach the following type of personal data has been compromised, and here they are mentioned below:-
- Email addresses
- Private messages
- Personal photos
- User ID
- Push notifications
- Screen recording
- User location
- Personal files
- Payment details
- Private chats
- Dates of birth
- Phone numbers
More Than 100 Million Users’ Data Exposed
As we told that 23 applications were compromised, and there have been more than 100 million personal data of different users who use all these Android apps were compromised.
And this data breach happened only due to the app developers’ misconfiguration of third-party services. It’s a bad practice and not only that even it also depicts that how seriously nowadays the developers take the security measures.
The security analysts are able to discover this breach only for their routine investigation, as a routine security checkup they carried out this investigation on these 23 apps.
After their investigation, they found that some real-time databases that did not have any type of security or protection system. And the analysts easily got access to the exposed personal data of the users like email addresses, usernames, passwords, photos, chats, and messages as well.
The use of use real-time database is a general thing for app developers, as they use this technology to store data in the cloud so that in real-time they can synchronize that data with their users.
Hiding the keys
During the security investigation, the cybersecurity researchers have also discovered some other sensitive details related to the developer, that are implanted in some of the apps that are tested by them.
Even they also affirmed that they discovered the credentials for push notification services in one of the tested applications.
Among those 23 apps, the security experts have found the cloud storage keys in two popular apps, Screen Recorder, and iFax. Here, the Screen Recorder is available on Google Play with more than 10 million installations.
Due to the obscure security adoption, some of the developers are unexpectedly compromising the security of their users’ data and privacy. As the researchers have alleged that some of the developers have used base64 encoding, due to which the decoding remains unprotected.
The security specialists at Check Point have distinctly pronounced that among 23 compromised apps, many of them have more than 10 million downloads on Google Play Store, and here the most interesting thing is that a maximum of them are don’t have any protected database.
Moreover, the Astro Guru is one of the apps that offer astrology, horoscope, and palmistry services, so, due to the prediction of several factors the users put more and accurate data, and as a result, the security authorities have found a large amount of endangered user data in its real-time database.
But, fortunately, this severe privacy error has only transpired in a small number of apps like Screen Recorder, iFax, Logo Maker, T’Leva, or Astro Guru.
However, as a security measure or mitigation, the experts have strongly recommended the users to uninstall these apps from their Android devices immediately.
While the research team at Check Point security firm has already contacted and reported this serious privacy error to Google, and all the developers of these apps before making it public.