Serious Flaw in Communication App Exposes Data of 5 Million
Who: Dalil
# of Accounts Breached: More than 5 million users
What was affected: Personal Information by Users.
The app collects users’: Cell phone number, IP address (internal and external where applicable)
Device model, token, serial number, and operating system, IMEI (the device’s specific identification number), Sim card and network provider information
GPS and network location information and personal information including an email account,
First and last name, Gender, Profession
How it happened: All the user data gathered by the app is stored in an unsecured and unmonitored MongoDB database. It’s reachable without authentication, giving hackers password-free access to millions of people’s data.
As well as the application log, this database includes both harvested and voluntarily-submitted personal information.
Outcome: We contacted Dalil to alert them to this security breach. Our information included the date on which we planned to publish this article, and gave them a few days to find and secure their database before this knowledge became public. At the time of publication, we had not yet heard back from them. As hackers can obviously find this database online – and may have already – it’s important to share our findings with the public so they can take appropriate measures to protect their data.