TuneFab converter, used to convert copyrighted music from streaming platforms such as Spotify, Amazon’s Audible, or Apple Music, has exposed its users' private data.
Cybernews research showed that the platform has exposed more than 151 million parsed records with users’ IP addresses, userArea, userIDs, emails, and device info.
The leak was caused by a misconfiguration on MongoDB, a document-oriented database platform, that left TubeFab’s data passwordless and publicly accessible.
The private data leak was identified on September 26th and indexed by public IoT search engines on the same day. The researcher contacted the company about the leak, and the misconfiguration was promptly fixed. Total exposure time was no longer than 24 hours. The company has yet to respond to a Cybernews request for an official comment on the matter.
According to Bob Diachenko, a cybersecurity researcher who first identified the leak, more than 280GB of exposed data could assist threat actors in the enrichment of data from previous leaks.
The company is registered in Hong Kong. Across eight apps created by TuneFab, it provides services, often considered illegal, to convert audio tracks on streaming platforms into MP3, M4A, WAV, FLAC, AIFF, AAC, and ALAC formats and download files to users' devices, bypassing digital rights protection.
The service covers various streaming services, including Spotify, Apple Music, Amazon, Pandora, YouTube, Deezer, and Audible.
Your email address will not be published. Required fields are markedmarked