Poorly Secured Server Leaked Real Time GPS Data From App
Who: Family Locator App
# of Accounts Breached: More than 238,000 users.
What was affected: User’s name, email address, profile photo, and their plaintext passwords.
When it happened: 20 Mar 2019
How it happened: A popular family tracking app was leaking the real-time locations of more than 238,000 users for weeks after the developer left a server exposed without a password.
Outcome: TechCrunch spent a week trying to contact the developer, React Apps, to no avail. The company’s website had no contact information — nor did its bare-bones privacy policy. The website had a privacy-enabled hidden WHOIS record, masking the owner’s email address. We even bought the company’s business records from the Australian Securities & Investments Commission, only to learn the company owner’s name — Sandip Mann Singh — but no contact information. We sent several messages through the company’s feedback form but received no acknowledgment.
On Friday, we asked Microsoft, which hosted the database on its Azure cloud, to contact the developer. Hours later, the database was finally pulled offline.