- Cybernews discovered that Tokee’s unprotected MongoDB exposed the data of approximately 1.2 million users
- The leak included names, phone numbers, avatars, device tokens, IDs, activity logs, and account statements; chat logs were encrypted
- Deucetek secured the database after disclosure; no evidence of malicious access, but users warned of phishing risks
A messaging app called Tokee maintained an unprotected database filled with sensitive information, exposing more than a million customers to anyone who knew where to look.
security researchers cyber news discovered a non-password protected MongoDB instance that contained user display names, phone numbers stored as numeric values, profile avatars, device tokens used for push notifications, user IDs, timestamps for account creation and updates, “last seen” activity indicators, and account status indicators (e.g., premium or non-premium).
Further investigation determined that the database belonged to a company called Deucetek, a US-based software company that develops the Tokee messaging app.
Lock files
Tokee is not as popular as WhatsApp or Telegram, but it still has a strong user base. It has more than a million downloads on the Android platform alone (Apple’s app store does not show download numbers), but cyber news says the leak exposed about 1.2 million users, “which likely represents the vast majority of the app’s user base,” it said.
Chat logs were also stored in the same database, but were encrypted and as such are not at immediate risk. If someone had enough computing power, the encryption could be cracked, but at the moment it’s not exactly cost-effective. Still, there is a lot of unencrypted information in the database that can cause serious damage:
“Although user chat messages stored on the same infrastructure appear to be encrypted using password-based OpenSSL encryption, the exposed personal data alone presents significant regulatory, security and privacy risks,” the Cybernews team said.
Following a responsible disclosure, Deucetek locked the database. The researchers said there was no evidence that the data was discovered by malicious actors in the past, and that the data does not appear to have reached the dark web. Users are therefore advised to be careful with incoming messages, especially those claiming to come from Tokee or Deucetek.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
