Social networking app that promises to “protect your privacy” suffered from a data breach late last week. According to Tech Crunch, the company left one of its servers exposed, leaving customer data to become compromised and available for anyone to find.
Launched in 2017 by Hello Mobile, True promises to protect users’ privacy and never to sell or share such sensitive information, notes Tech Radar. Despite its promise, however, the breach has laid a foil in its plans.
Mossab Hussein reportedly found the exposed server. Tech Crunch states Hussein is a chief security officer at SpiderSilk, a Dubai-based cybersecurity firm. Hussein provided details of the incident to Tech Crunch.
In a statement, Hussein said that a dashboard containing one of the social networking site’s database was exposed on the internet. It did not contain a password, therefore allowing anyone to access and read private user data.
Based on the details provided by BinaryEdge, it was revealed that the company’s dashboard has been exposed without protection or encryption since early September of this year. Upon reaching out to the firm with the said information, True reportedly made its dashboard offline.
The servers contained various information. This includes email addresses, as well as phone numbers, private messages, location data, and access tokens, shares Tech Radar. The access token can be leveraged by malicious hackers to gain unauthorized access to user accounts.
The dashboard was also found with daily server logs. Apart from the geolocation providing insight into a user’s location, the data breach also exposed the phone contacts provided and uploaded by the user. This is supposedly used by the individual to match with friends with the True mobile app.
Hussein also confirmed that one-time login codes were also exposed.
Chief executive officer at True, Bret Cox, confirmed the incident to Tech Crunch. However, the company declined to provide answers to questions regarding its plans to inform the public about its data lapse.
While True maintains that deleting an account or a profile “will immediately remove all of your content from our servers.” However, upon conducting tests, Tech Crunch states that private messages, posts, and photos still remained searchable on the exposed dashboard.
In a statement, Hussein said, “This is another example of how mistakes can happen at any organization, even those that are privacy-centric. It highlights the importance of not only building secure applications and websites, but also ensuring that proper data security measures are embedded within their internal procedures.”