Key Ring, creator of a digital wallet app used by 14 million people across North America, has exposed 44 million IDs, charge cards, loyalty cards, gift cards and membership cards to the open internet, researchers say.
The Key Ring app allows users to upload scans and photos of various physical cards into a digital folder on a user’s phone. While Key Ring is primarily designed for storing membership cards for loyalty programs, users also store more sensitive cards on the app. According to the research team at vpnMentor, it found 44 million scans exposed in a misconfigured cloud database that included: Government IDs, retail club membership and loyalty cards, NRA membership cards, gift cards, credit cards with all details exposed (including CVV numbers), medical insurance cards and medical marijuana ID cards, among others.
vpnMentor said that it found a total of five misconfigured Amazon Web Services (AWS) S3 cloud databases owned by the company. These could have revealed millions of these uploads to anyone with a web browser, thanks to a lack of password-protection on the buckets, the company said. Also, every file could also be downloaded and stored offline.
Threatpost reached out to Key Ring’s media team multiple times over the last few days for a comment or reaction to the findings, with no response — and will update this post with any additional information should the company eventually respond.
Five Databases of Information
According to the research, launched Thursday and shared with Threatpost ahead of publication, vpnMentor came across indicators of an initial exposed bucket in January, which contained the scanned card information. However, that wasn’t the extent of the exposed data.
The researchers also said that they found older, brand-specific loyalty-card lists sorted by retail company, including CSV databases detailing various reports on customers of Walmart, Footlocker and other big brands. vpnMentor said that the lists contained personally identifiable information (PII) data for millions, including full names, emails, membership ID numbers, dates of birth, physical addresses and ZIP codes. The firm also said that the data set stretched back in some cases to 2014.
Examples of the number of people exposed in these lists include 16 million for Walmart, 64,000 for the Kids Eat Free Campaign, 6,600 for La Madeleine and 2,000 for Mattel, among others, it said.
Also, as the firm was looking into the situation, it said that it found four additional unsecured S3 buckets belonging to Key Ring, which the company said contained even more sensitive data.
vpnMentor said that these additional four storage units each contained a different snapshot of Key Ring’s internal database of users, containing emails, home addresses, device and IP address info, encrypted passwords and the “salt” randomized data used to encrypt them and more.
Disclosure and Exposure
Once the details of the leak were confirmed, the vpnMentor team said that it contacted Key Ring and AWS to disclose the discovery on February 18 – and the buckets were secured two days later.
However, Key Ring itself never responded to the firm’s findings.
“We reached out to them but didn’t get any reply,” Noam Rotem, lead of vpnMentor’s research team, told Threatpost. “At the same time, we reached out to Amazon, who (we believe) reached out to them too in order to secure the data. As we haven’t been in touch with them, we don’t know if they’re going to notify their users.”
The research team is unsure of how long the data was exposed prior to the discovery.
“In fact, we can’t say for certain that nobody else found these S3 buckets and downloaded the content before we notified Key Ring,” according to the analysis shared with Threatpost. “If this happened, simply deleting the exposed data and securing the S3 buckets might not be enough. Hackers would still have access to all the data, stored locally, offline and completely untraceable.”
vpnMentor said that the team did not reach out to the third parties (Walmart, et al) about the data exposure: “It doesn’t seem related to data sharing, as data sharing is supposed to be related to the PII provided by their customers, and not the cards [that individuals] scan and save in their wallet,” Rotem said.
Potential Fallout
Key Ring’s databases, if they’ve been stolen, could facilitate massive fraud and identity theft schemes targeting millions of people in America and Canada, according to the analysis.
Any cybercriminal that accessed the databases could sell the information on the criminal underground, or use it themselves, vpnMentor pointed out. Potential attacks include identity theft; the ability to file fraudulent tax returns and claim refunds in victims’ names; credit-card fraud and online shopping fraud; account takeovers; stealing and using accrued loyalty points; and even “loan stacking” where criminals take out multiple loans in a person’s name, from automated lenders, with numerous payouts made before the victim becomes aware. Plus, the wealth of information opens victims up to phishing and convincing email scams.
“What’s most notable about this incident is that people would trust companies to secure their data, and hence share with them everything, including their credit cards (both sides), without fearing that this could be exploited,” Rotem told Threatpost. “Needless to list the risks related to a clear credit-card picture leaking.”
vpnMentor pointed out that the company itself could also be in danger if the database has been downloaded by criminal hackers.
“Aside from losing users and partners, Key Ring would have been vulnerable to legal action, fines and intense scrutiny from government data privacy groups,” the research noted. “Key Ring is already no longer operating in the EU due to the inability to comply with GDPR. With California enacting its data privacy law in January 2020 – the CCPA – Key Ring could still have faced investigation and fines from the state’s legislative bodies. Given the scale and seriousness of this leak, the impact on the company’s finances, reputation and market share would be unmeasurable.”
The company’s privacy policy was last updated in March 2015 and states: “We may encrypt certain sensitive information using Secure Socket Layer (SSL) technology to ensure that your Personally Identifiable Information is safe as it is transmitted to us.”
It adds: “However, no data transmission can be guaranteed to be 100 percent secure. As a result, while we employ commercially reasonable security measures to protect data and seek to partner with companies that do the same, we cannot guarantee the security of any information transmitted to or from the Website or via the Key Ring Service, and are not responsible for the actions of any third parties that may receive any such information.”
Cloud misconfigurations are all too common, with businesses both large and small inadvertently exposing users’ personal data. In fact, a recent Unit 42 report found that more than half (60 percent) of breaches occur in the public cloud due to misconfiguration.
Rotem told Threatpost that “we’re not here to judge how these companies are managing their customers’ data.” However, he added that “too many companies are failing at protecting their data…the way they react to such leaks, fix and respond is what would distinguish a company that cares about its security and customers, from a company that doesn’t.”
Threatpost also reached out to Key Ring for more details on its disclosure policies and how it has handled this incident.
Do you suffer from Password Fatigue? On Wednesday April 8 at 2 p.m. ET join Duo Security and Threatpost as we explore a passwordless future. This FREE webinar maps out a future where modern authentication standards like WebAuthn significantly reduce a dependency on passwords. We’ll also explore how teaming with Microsoft can reduced reliance on passwords. Please register here and dare to ask, “Are passwords overrated?” in this sponsored webinar.