A leaky Elasticsearch database has resulted in thousands of images and videos of babies being leaked online.
The developer of the Peekaboo Moments app, Bithouse Inc, failed to secure a 100GB Elasticsearch database. The database had been left open accessible by anyone, and without any password protection.
The database contained over 70 million log files dating from March 2019. The exposed data include email addresses, geographic location data, device data, and links to photos and videos.
Dan Ehrlich, who runs the Texas-based cybersecurity startup Twelve Security, discovered the database, to which he estimates that at least 800,000 email addresses have been exposed.
“I’ve never seen a server so blatantly open,” said Ehrlich to the Information Security Media Group (ISMG). “Everything about the server, the company’s website and the iOS/Android app was both bizarrely done and grossly insecure.”
The app allows parents to record their baby’s birth date, and track their baby’s weight and length. In addition, there is a field on the app that records location data in latitude and longitude to four decimal points, which is accurate to about 30 feet of a user’s location.
“We completely understand how these moments [are] important to you,” said the company on the Google Play App profile page. “Data privacy and security come as our priority. Every baby’s photos, audios & videos or diaries will be stored in secured space. Only families and friends can have access to baby’s moments at your control.”
It remains unclear as to how long the Elasticsearch database was left unsecured, or who may have accessed the data.
Repeated efforts by ISMG to contact Peakaboo Moments CEO, Jason Liu, has drawn blank. The company has also not responded to emails, and attempts to contact employees have proven unsuccessful.