A digital wallet app with millions of users has become the latest organization to be caught storing customer data in unsecured Amazon Web Services (AWS) S3 buckets.
Researchers at vpnMentor discovered five misconfigured buckets containing the personal data of 14 million users of the Key Ring app.
The Key Ring app allows users to upload and store scans and photos of membership and loyalty cards to a digital folder in their mobile device. It is also commonly employed by users as a convenient way to scan and store copies of their ID, driver's license, gift cards, and credit cards.
The misconfigured buckets, which were set to "public" rather than "private," were found to contain 44 million images uploaded by Key Ring users.
Data exposed in the Key Ring data leak included government IDs, NRA membership cards, medical marijuana ID cards, credit cards with all the details, including the CVV numbers, and medical insurance cards.
Other information exposed in the data leak included CSV files detailing membership lists for prominent North American retailers who use Key Ring as a marketing platform. These lists contained the personally identifiable information (PII) data of millions of people.
Companies whose customers' details were exposed in the leak include Walmart, Kleenex, La Madeleine Bakery, Foot Locker, and Mattel.
VpnMentor researchers said that every Key Ring file they viewed could also be downloaded and stored offline, making them completely untraceable.
"These unsecured S3 buckets were a goldmine for cybercriminals, making millions of people across North America vulnerable to various forms of attack and fraud," said researchers.
"We can’t say for certain that nobody else found these S3 buckets and downloaded the content before we notified Key Ring."
VpnMentor researchers discovered the buckets in January 2020 using web-scanning tools.
"Once the details of the leak were confirmed, we immediately contacted Key Ring and AWS to disclose the discovery and assist in fixing the leak. The buckets were secured shortly after," said researchers.
Since Key Ring does not include a privacy policy or outline of its data protection policies on the app’s website, it's impossible to ascertain what measures they follow to protect user data.