Key Ring, maker of a digital wallet app has exposed 44 million IDs, charge cards, loyalty cards, gift cards and membership cards online used by 14 million people across North America.
In the Key Ring app, the users can upload scans and photos of various physical cards into a digital folder on their smart phone. Key Ring is essentially designed for storing membership cards for loyalty programs, but the users also store more sensitive cards on the app.
The security researchers at vpnMentor, found 44 million scans exposed in a misconfigured cloud database which included: Government IDs, retail club membership and loyalty cards, NRA membership cards, gift cards, credit cards with all details exposed (including CVV numbers), medical insurance cards and medical marijuana ID cards, among others.
Five misconfigured Amazon Web Services (AWS) S3 cloud databases owned by the company were found in total. Anyone with a browser can access and download these millions of uploads as these buckets were not password-protected.
vpnMentor came across an initial exposed bucket in January, that contained the scanned card information but it wasn’t the extent of the exposed data.
They also found older, brand-specific loyalty-card lists sorted by retail company, including CSV databases detailing various reports on customers of Walmart, Footlocker and other brands. vpnMentor said that the lists contained personally identifiable information (PII) data for millions, including full names, emails, membership ID numbers, dates of birth, physical addresses and ZIP codes.
Later they found four additional unsecured S3 buckets belonging to Key Ring, which contained even more sensitive data.
The research team contacted Key Ring and AWS to disclose the discovery on February 18 – and the buckets were secured two days later.
But Key Ring has not responded anything regarding the issue.
It is not known for how long the data has been exposed online. It is also possible that the hackers would still have access to all the data, stored locally and offline.
If the Key Ring’s databases are stolen then it might lead to a massive fraud and identity theft schemes that will target millions of people in America and Canada.