Millions of images and videos of babies sold on deep web. Data breach in the Peekaboo Moments app

Information Security incidents now affect even babies. Due to an unprotected Elasticsearch database, millions of videos and images of babies stored by the Peekaboo Moments mobile app are available for sale on deep web hacking forums. The database was not adequately protected by Bithouse Inc., the app’s developer. The report was filed by Dan Ehrlich, director of information security firm Twelve Security.

In his report, the researcher mentions that at the time of the find, the Peekaboo Moments database contained at least 70 million log files (equivalent to more than 100GB of information). This information includes a history of activity on the platform, such as logins, data loading, and more.

Regarding the personal information exposed, the information security report indicates that compromised data includes details such as:

  • Users’ full names
  • Email addresses
  • Information about the device where the app was installed
  • Links to media content (photos and videos) hosted on Alibaba Cloud

The investigator claims that nearly 900,000 email addresses were exposed during the incident.

SOURCE: Bank Info Security

The threat doesn’t end there, as the app also transmits sensitive data that, in a complex scenario, could affect babies. Peekaboo Moments has a growth tracker, which allows users to know the height and weight of their babies, and in many cases, the records include their date of birth. “They’re only a few months old and these babies have already suffered their first data breach“, Ehrlich adds.

SOURCE: Bank Info Security

Although its developers claim that Peekaboo Moments is a safe space to safeguard photos and videos of babies, the incident shows that the company has made basic information security errors, exposing stored data and information.

In its Google Play Store profile, the company boasts of storing its users’ content securely: “We understand how important these moments are to our users. Your data privacy is one of our priorities, so your photos and videos will be stored in a safe space, out of reach of someone outside your family or friends.” 

Researchers are still unclear how long the database was exposed, and it is also unknown whether someone accessed or managed to extract the information. In addition, despite multiple attempts, researchers have failed to contact Jason Liu, CEO of Bithouse Inc, besides multiple emails have also been sent to the company, apparently established in China, an effort that has also resulted meaningless.

Troy Hunt, information security expert and founder of the Have I Been Pwned platform, mentions that, despite the fact that these kinds of incidents often occur, the fact that this database stored information about users’ babies could expose affected to new attack variants using the information and content exposed.

Another risk in using this app is related to a feature to export content from Facebook to Peekaboo Moments, which implies that Peekaboo Moments API keys for the social network are also exposed. This information could allow an attacker to access the User’s Facebook content of the Peekaboo app, Ehrlich says.

According to information from the International Institute of Cyber Security (IICS), the app was launched in 2012 and has been downloaded more than a million times from the Google Play Store. Peekaboo Moments is a free service, although the company generates profits by offering additional storage per scan starting at $9 each quarter. The company’s official position on the incident is still expected.