93K users faced what the app development team called a “temporary data breach”
The app known as Sitter, used for search and hire babysitters, “temporarily” exposed the personal data of 93K of its account holders, as reported by a cyber security organization researcher who recently discovered the leaked data through Shodan, Internet of Things (IoT) search engine.
In a LinkedIn publication, researcher Bob Diachenko explains how he found the 2GB MongoDB database on August 13, which contained phone numbers, addresses, transaction details, account holder contacts, partial numbers of credit cards and encrypted account passwords.
The leaked information included user’s chat in the app and the history of notifications, as well as details of what users needed a babysitter at what time and in what direction.
Shodan indexed the database one day before the cyber security organizationresearcher found it, suggesting a short period of exposure, although it is possible that the database has been compromised for longer. The good news is that, upon learning about the information leak, the team behind Sitter reacted quickly and removed the leaked data, thus avoiding that the compromised information could be used for illicit purposes.
The Sitter developers issued a statement in which they reported that the affected users had already been notified of the situation, as well as announcing improvements in the security of their users’ data. Sitter also stated that the vulnerability that enabled this data leak has already been corrected.
This event occurs not long after the leaking of another MongoDB database compromised the health records of thousands of people in the state of Michoacán, Mexico. Before that, in 2017 a hacker implemented a data theft campaign in which he managed to compromise 28K MongoDB databases with poor security measures, getting many of the victims to pay the ransom in Bitcoin that the hacker demanded.
There is no evidence that other people, besides researcher Bob Diachenko, have accessed the Sitter database, so it seems that this time the incident did not generate more serious consequences; however, cyber security organization specialists from the International Institute of Cyber Security consider that, once a hacker accesses online information, there is no such thing as a temporary data breach, and information will remain vulnerable.