A Shocking Key Ring App Data Leak Has Exposed 14 Million Users

If you still think that serious data leaks are not that common, we have a story that might just be about to change your mind. In January, a team of researchers led by Noam Rotem and Ran Locar found a poorly configured AWS S3 bucket that was exposing a large amount of information. Unfortunately, in their article for vpnMentor, the experts admitted that they were so busy reporting other data leaks at the time, that they couldn't immediately investigate the issue and notify the people responsible for the exposure. It wasn't until about a month later that they finally got around to working on this particular leak.

Service providers are still struggling to get to grips with the security mechanisms offered by cloud storage solutions, and leaks appear left, right, and center. The experts are unable to keep up, and as always, the unsuspecting user is left to bear the consequences. In this case, the potential consequences were enormous.

The Key Ring app exposes users' digital wallets to the whole world

The first bucket the researchers found contained a whopping 44 million images. It's a lot of data, but the truly shocking part is the nature of the exposed information. Once they found the time to investigate, the researchers found out that the misconfigured S3 bucket belonged to Key Ring – a mobile application that gives you, among other things, the option of digitizing most of the contents of your wallet. It lets you photograph and store virtual copies of thinks like membership cards and gift cards. Some of the 14 million people that use the app have also uploaded scans of their credit cards and personal ID documents. While they were doing it, they probably thought that their data would be stored securely. They were wrong.

The misconfigured S3 bucket contained scans of credit cards, membership and loyalty cards, medical cannabis cards, driver's licenses, and other identification documents. The images were stored completely in the clear, and they were accessible from anywhere in the world. You can already see how badly the leak can affect users. Unfortunately, that wasn't the end of it.

Key Ring's misconfigured S3 buckets leaked tons of personal information

In the same bucket, the researchers found some CSV files which contained personally identifiable information (PII) that belong to millions of people. These people were on the membership lists of Key Ring partners like Walmart, and the lists contained a myriad of personal details like names, addresses, dates of birth, etc.

After a bit more rummaging, Noam Rotem and Ran Locar's team located four more misconfigured S3 buckets associated with Key Ring. They contained old snapshots of the app's database and exposed, among other things, users' email and home addresses, IPs, device information, etc. The databases also held passwords, which, according to the researchers, were "encrypted." Unfortunately, the mechanism for scrambling them remains unclear.

It's also unknown whether the researchers were the only ones who managed to find the exposed data. On February 18, they finally managed to get in touch with Key Ring and Amazon, and two days later, the buckets were pulled offline, but at this point, we don't know when they were put up in the first place. Unfortunately, we should point out that although the information was secured relatively quickly, Key Ring's attitude towards the incident is hardly exemplary.

When leaks like this occur, users expect to receive individual notifications that tell them what has happened and what they need to look out for. Meanwhile, the general public expects an official announcement from the vendor, which also provides details on the incident and on the precautions taken to ensure that it doesn't happen again. With Key Ring, we have seen neither of these things.

The volume of the exposed data, coupled with the lack of any official response, means that we can do nothing more than assume that all 14 million Key Ring users are affected. If you're one of them, you must be a lot more cautious than you normally are, especially if you've stored any sensitive data with the app.