App exposes 44 million user records: Driver’s licenses, credit cards, medical info
April 5, 2020
By Kim Komando
Digital safety is what we’re all about here at Komando.com. That’s why we always recommend users back up their digital data and use secure apps to store important logins and membership info.
Unfortunately, not all apps are created equal. Some programs offer a plethora of useful features but they’re weak when it comes to cybersecurity. Tap or click to see how a home security camera app leaked millions of people’s personal data.
When an app suffers a data leak, it’s a big deal. And when the app in question is designed to store private information like ID and membership cards, it’s far more dangerous. This recently happened to one of the most popular digital wallet apps on the market and millions of users might now be in jeopardy.
Key Ring leaves the door open for hackers
Key Ring is a popular app for iOS and Android, designed to store digital copies of loyalty cards for dining, travel and shopping. Many users also upload more personal cards, like state IDs, driver’s licenses, credit cards, medical IDs and more for convenience.
This practice isn’t officially endorsed by the app’s developers, but it’s common enough to make a recent security incident more than a little alarming.
According to reports from researchers at vpnMentor, a misconfigured Amazon Web Services server owned by Key Ring left more than 44 million user records exposed with no form of protection. This means all those ID and membership cards users stored were floating around on the web and were up for grabs.
When vpnMentor discovered the servers, they found that they were accessible using nothing more than a web browser. As long as someone had access to the URL, they could easily view tons of cards and personal information.
These lists were discovered to contain Key Ring users’ information, including email addresses, device and IP data, home addresses and passwords, although the latter were encrypted.
Upon revealing their report to Key Ring, the company resolved the issue and locked the servers up for good. It’s not known how long the servers were unprotected, but vpnMentor made its initial discovery back in January.
That’s not all that was wrong with these servers. Multiple CSV files were discovered containing membership lists and reports for businesses that offer loyalty cards. Here are some of the companies affected, as well as the number of users included in the lists:
- Walmart/Kleenex list – 16,000,000
- Kids Eat Free Campaign – 64,000
- Unknown marketing campaign report – 86,000
- La Madeleine Bakery chain – 6,600
- Footlocker: Unknown number of records
- Mattel – 2,000
These lists contained a trove of personally-identifying information like names, email addresses and home addresses.
Maybe “leak” isn’t the right word for a breach of this magnitude. It’s more like a “flood.”
I use Key Ring. How can I protect myself from cyberattacks?
In 2019, Key Ring claimed to host nearly 14 million active users. It is currently unknown whether anyone has exploited the leaked data in the wild, which means every single one of these Key Ring users is at risk of some kind of identity theft.
To protect yourself, your best course of action is to first delete the Key Ring app from your device. Even though the company has now encrypted its servers, the company has no explicit privacy policy guaranteeing the safety of your data.
Once you’ve finished deleting the app, visit Key Ring’s support page and submit a request to have your account deleted. Include your account email address and tell them you no longer want the service and you want all your account data to be deleted. When your account is deleted, all your data and images will be removed.
Next, you should contact your bank or credit card company to make sure they’re aware of the risk you face. Additionally, you may also want to contact a credit bureau and freeze your credit to prevent anyone from opening any accounts in your name. Tap or click here for the benefits of a credit freeze.
As cliché as it sounds, this incident is the exact reason why reading the fine print in user agreements is so important. Those long agreements can be a pain in the neck to read through, so use this handy app to skim and highlight any unusual privacy gotchas. Tap or click here for an app that reads the terms and conditions for you.
Because Key Ring lacks a formal privacy policy, it technically hasn’t done anything wrong or violated any agreements in the eyes of the law. The burden lies on users to stay safe from data incidents. In the meantime, we’d say it’s probably not the best idea to scan your driver’s license digitally. Your real one will do just fine.
https://www.komando.com/tips/software-and-apps/key-ring-data-exposed/