Another mobile application “merged” data of its users

The Chinese company Nixi Technology, which produces the Boomoji mobile application for creating animated 3D avatars, has left in the public domain personal data of more than 5 million users of this application worldwide.

Recently, we wrote on Habré about how data flows from spyware applications, but unfortunately, not only their developers are prone to the syndrome, “oh, we seem to have forgotten to set access rights to the database.”

In the public domain, there were two Elasticsearch databases - one located in the United States was used to store data from international customers, and the second, located in Hong Kong, contained data from Chinese users (Chinese law requires citizens to keep personal data in China).

Databases were freely accessible both for reading and writing (including editing and deleting). They contained 5.3 million users of iOS and Android versions of Boomoji.

In addition to the data (user name, age, gender, country, phone model, and even the name of the institution) directly by the application users themselves, 125 million contacts of their address books (a copy of the phone numbers) were stored in the databases, as well as the history of geography for 375 thousand. users.

Of course, all the data lay in plain text, without any encryption.

Regular news about individual cases of data leakage, promptly published on the channel Information Leaks .