A Decade's Worth of Private User Data Has Been Exposed by Rallyhood

Rallyhood Data Leak

When Zack Whittaker from TechCrunch got in touch with Rallyhood to talk about a misconfigured S3 bucket that exposed quite a lot of user data, he was initially told that the leaky database was used for testing purposes only and that people's actual information was held 'in a highly secured bucket.' Later, Chris Alderson, Rallyhood's Chief Technology Officer, provided a different version of the events. He admitted that during a migration project, 'permissions were mistakenly left open' on one of the company's storage buckets for 'a brief period.' At the time of writing, this is the only piece of information that Rallyhood has shared with the rest of the world regarding the incident, and it must be said that this is hardly ideal given the amount and nature of the leaked data.

Another day, another leaky S3 bucket exposes the files of millions of users

The leak was discovered by a security researcher who prefers to be known by his Twitter handle, Timeless. Timeless decided to use TechCrunch's influence in order to ensure that the data is secured as quickly as possible, which, in light of Rallyhood's business and enormous userbase, was indeed the most urgent task.

The website's popularity was given a massive boost when Yahoo announced that it's about to ax Yahoo Groups, and hordes of people moved their discussions to Rallyhood. We should point out, however, that Rallyhood is a lot more than just a messaging board. It's also a collaboration platform that is used by organizations of all shapes and sizes with the purpose of organizing and tracking tasks and events. This means that Rallyhood needs to process and store a lot of data.

The company won't say how many active users the platform has, and estimating the exact number of people affected by the leak is not really possible at the moment. What we do know is that the S3 bucket held a whopping 4.1TB of data and that thanks to an all-too-common configuration mistake, it was publicly accessible without a password. According to Zack Whittaker, the URL was "easily guessable" as well, which made the possibility of someone getting their hands on the information even more real.

Some of the exposed data is extremely sensitive

Whittaker reviewed some of the files and found contact details that allowed him to get in touch with the affected users and verify the authenticity of the leak. Unfortunately, in addition to phones and email addresses, the bucket contained a lot more information.

TechCrunch's reporter found anything from contracts and permission slips to non-disclosure agreements and lists of shared passwords that were definitely not supposed to be publicly accessible. As we mentioned already, Rallyhood's CTO tried to do some damage limitation by telling TechCrunch that the exposure didn't last long, but he preferred not to say how "brief" the "brief period" was. What we do know for sure is that some of the files in the leaked database had a 2011 timestamp. Unfortunately, despite the fact that there was almost a decade's worth of private files in the misconfigured database, Rallyhood refused to tell TechCrunch whether the company has any plans to inform the potentially affected individuals about it.

All in all, so far, Rallyhood has demonstrated a distinct lack of transparency in its handling of what is undoubtedly a rather serious data leak. The company clearly made a mistake, which is hardly a good thing, but the really bad impression comes from the fact that it acts as if it's not willing to accept the responsibility.

February 24, 2020
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.