Get My Slice, which pays its users in exchange for data, left a 19GB-strong dataset with names, emails, and phone numbers unprotected. It claims to have resolved the issue within 24 hours of discovery.
“We’re working hard to make sure this never happens again,” app developers told Cybernews. While the open database didn’t include browsing history, cybercriminals could use names, emails, and phone numbers to commit identity theft.
What’s in the database
Recently, Cybernews discovered an unprotected database of over 26 million logs generated by getmyslice.com and its Android and iOS apps. The oldest log entry dates back to 31 January 2021.
The dataset had approximately 20,000 unique emails, phone numbers, and names. Most of the affected users seem to be from the UK. The database also contained device information, such as the device’s name, model, battery level, and memory usage. However, the user browsing history that Get My Slice sells to brands hasn’t been leaked.
The unprotected 19GB-strong instance was hosted by AWS in the United Kingdom. After the Cybernews team reported the findings to the app developers, the database was immediately closed.
Is my data safe?
“At Get My Slice, we take privacy very seriously. We always hear of big companies having data leaks, and unfortunately, this time it has happened to a startup like us,” Get My Slice said in a written statement to Cybernews, promising to do better. “Despite having robust security systems in place, a misconfiguration of a logging server exposed the information. We’d like to reassure our users that the problem was resolved within 24 hours of discovery, and we’re working hard to make sure this never happens again.”
Names, emails, phone numbers, and other personally identifiable information (PII) are a treasure trove for cybercriminals. In addition to identity fraud, PII can be used to hijack user accounts. Phone numbers could be used for so-called SIM-swapping attacks to bypass two-factor authentication (2FA).
- To see if any of your online accounts were exposed in previous security breaches, use our personal data leak checker with a library of 15+ billion breached records.
"By using such services, you are sharing your data with third parties – each company you share your information with could be subject to a data breach. With every additional third party you share your information with, the risk of a data breach grows exponentially, given they might be sharing that information with someone else, too," Cybernews researcher Aras Nazarovas said.
It has been possible to get paid for sharing personal data with brands for some time now.
"We're part of the data revolution," claims rewards app Get My Slice, with over 50,000 downloads on Google Play alone.
Instead of paying big tech companies for user data, some brands choose to reward consumers more directly. Here apps like Get My Slice come in handy – they match brands with users so they can earn money for sharing their personal data.
"Simply connect your online accounts like Google or Facebook to the app, explore fantastic personalized offers and start getting rewarded," the Get My Slice website reads.
After connecting your accounts, Get My Slice scrapes your browsing activity and sells it to advertisers. Brands then offer cashback and discounts to participate in an offer (sign up/purchase/enquire).
Users want to take back control
The data ownership concept, so strongly advocated by the Cambridge Analytica whistleblower Brittany Kaiser, is gaining momentum.
According to her, having the right to privacy, we still don’t have any ownership or rights over our data in most countries worldwide. Being the producers of the world’s most valuable asset, we are not receiving any value in return.
“Our personal information has become a commodity in a multi-trillion dollar market and is being bought and sold and traded around the world without our explicit consent,” she said.
In the light of significant leaks, such as the LinkedIn or Facebook leaks, the concern about privacy is only growing. At the same time, users begin to acknowledge that if disappearing from the grid is not an option, at least they could get paid for sharing their data with businesses of their choice.
Many startup companies are trying to reimagine how data, the oil of the 21st century, is pumped and processed. TIKI offers you money in exchange for your personal information, and ImagineBC is a platform where you can earn money just by watching ads. Those startups recognize the need for a new business model where consumers can make money and be in charge of their data.
More from Cybernews:
Subscribe to our newsletter