A Peekaboo Moments Data Breach Exposes Baby Photos and Videos

Peekaboo Moments Data Leak

When security specialists tell you that anyone can fall victim to a data breach, they are not exaggerating with the hope of putting everyone in a state of unnecessary panic. Dan Ehrlich from a security consultancy company called Twelve Security recently discovered a rather large database, which showed that you don't even need to know how to use an electronic device to have your privacy compromised.

The database in question was hosted on servers owned by Alibaba Cloud, and it held about 100GB of information collected between March 2019 and January 2020. There was quite a lot to be worried about, but Ehrlich was especially concerned when he found links that led to what looked like photos and videos of babies. After a short investigation, he realized that the data was leaking from Peekaboo Moments – a mobile app that helps parents keep track of their children's growth.

Peekaboo Moments exposes tons of personal data

Ehrlich got in touch with Information Security Media Group's Jeremy Kirk, who tried to help with the responsible disclosure of the incident. The two poked through the exposed database and found out that it contained over 70 million log files, which, in addition to links to photos and videos, held all sorts of personal information that belonged to both parents and infants. The email addresses associated with "at least" 800 thousand Peekaboo Moments accounts were found in the data, and so were the API keys which let users connect the app to their Facebook profiles. Armed with this information, a hacker could access information shared on Mark Zuckerberg's social network, and the attack was made even easier because Peekaboo Moments exposed some of its own API keys.

The logs also contained usage stats and a worrying amount of information related to babies all around the world. In addition to photos and videos, the database leaked the newborns' dates of birth as well as information about their weight and height. GPS data was also leaked, which would have allowed attackers to pinpoint children's precise location.

How did Peekaboo Moments end up in this mess?

If you read through the marketing material on Peekaboo Moments' Google Play page, you'll be left with the impression that Bithouse, Inc., the app's developer, is fully aware of how important it is to keep users' data private. The facts, however, suggest otherwise.

The leaked information was put on an unprotected Elasticsearch server that was accessible to anyone with a browser and an internet connection. Bithouse is far from the only company that has made this mistake, but the fact that there are many other offenders can't really serve as a blame-mitigating factor, especially when you know that the security of infants' is on the cards. According to Dan Ehrlich, the misconfigured database is just the tip of the iceberg.

He told Information Security Media Group that "everything" about the app is "bizarrely done and grossly insecure." Ehrlich didn't go into too many details, but we're pretty sure that at least some of his criticism has something to do with the fact that by default, Peekaboo Moments' official website (complete with a login form on the homepage) loads under HTTP rather than HTTPS.

Speaking of the app's website, if you go to it, you'll find an announcement regarding the data leak written by Jason Liu, Peekaboo Moments' CEO. According to the statement, the leak was caused by a misconfigured logging server that held "a very small portion" of users' data. Liu apologized for the breach, promised that his company will try to do better from now on, and tried to convince everybody that apart from Ehrlich and Kirk, no outside people have accessed the database. Apparently, the links to children's photos and videos are no longer active because Bithouse secured the leaky database "shortly" after it received the first report.

Jeremy Kirk's version of events is a little bit different. Information Security Media Group's report says that multiple attempts to get in touch with Jason Liu and his company ended up unsuccessful. According to Kirk, it wasn't until several hours after the story went out that Bithouse returned an email to say that the server is secure.

Whatever the case, Peekaboo Moments' data leak can serve as proof that cybersecurity incidents can affect even the most innocent and vulnerable members of our society. This particular breach should probably be kept in mind the next time you're wondering which app you should use to share photos of your child.

January 22, 2020

Leave a Reply