Family Tracking App Spilled Pics, Names and Real-time Location Data (Mar 26, 2019)
The geolocation tracking application, "Family Locator," was discovered to have an unsecured and unencrypted MongoDB database that could allow anyone to view all the data every registered member stored in the application. Sanyam Jain, a researcher for the GDI Foundation found that the database stored information including user's real-time location, email address, name, password, profile photo, as well as the name of the places that were geofenced according to their account which were all publicly accessible. 238,000 users were impacted by this. Microsoft, who hosted the database, took it offline after being notified.
Recommendation: Databases should not be directly accessible over, or connected to the internet. Protect these services with authentication, do not allow guest or anonymous login. Leaks of this sort cause individuals to be at a large risk of phishing attacks. Actors can use this information to coerce more personal data from the victim. Users should also monitor their credit in order to make sure that nothing out of the ordinary is happening and no identity fraud is being committed.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.