¡appa! app leak puts million Argentinians at risk

Last updated: 6 March 2025
appa data leak
Image by Cybernews

Over a million shoppers in Argentina were left exposed and vulnerable to fraud when the ¡appa! app leaked their private purchase information.

One of Argentina's most popular shopping apps, with a million downloads on the Google Play Store, has suffered a cybersecurity gaffe that spilled the private data of over a million clients.

Founded in 2018, ¡appa! app evolved into a Software as a Service (SaaS) platform for shopping malls. Available in over a dozen supermarkets, ¡appa! offers different services for shopping center visitors, from paying for parking to accessing discounts, reward programs, and benefits.

ADVERTISEMENT

The Cybernews research team discovered a misconfigured Amazon AWS S3 bucket storing over a thousand CSV files with sensitive data linked with the Argentinian company in early November last year. Worryingly, despite multiple attempts to contact the company, the instance remains open to the public.

Appa data leak
Source: Cybernews

What ¡appa! data was leaked:

  • Full names
  • Dates of birth
  • National ID numbers – Documento Nacional de Identidad (DNI)
  • Email addresses
  • Phone numbers
  • Purchase information, including transaction time and date, payment method, amount spent, loyalty card number, shop, and mall where transactions have been made

The scope of the leak is deeply concerning, as it impacts approximately 2.4% of the Argentine population. The absence of swift action undermines trust and calls into question the effectiveness of the safeguards in place to protect user data and the company's overall security posture. Following the national data security regulations, the company could be subject to fines.

Appa data leak
Leaked data. Source: Cybernews

¡appa! users at risk of fraud

Although there’s no indication malicious actors accessed the exposed files, attackers continuously scan the web for unprotected servers. If our researchers were able to find the leaked data, cybercrooks could have done the same.

ADVERTISEMENT

The exposed bucket is a goldmine for phishing attacks – the more cybercriminals know about you, the more likely you are to fall for their lies.

Imagine receiving an email or an SMS message containing your name, email, and all the details of your recent purchase, asking you to click on the link to provide some extra information.

You can also be alerted about a new special offer on your loyalty program – to claim it, you only need to click on the provided link. Victims are far more likely to fall for the imposters, believing it is a legitimate purchase-related communication.

Phishing links could prompt victims into revealing their financial account details, or deliver malware that could drain victims banking apps.

Ernestas Naprys vilius Gintaras Radauskas Paulina Okunyte
Don’t miss our latest stories on Google News
Google News Follow us

In Argentina, the DNI is the key personal identifier. A database of over a million citizens is a treasure trove for cybercrooks, as it could be exploited in various fraudulent activities.

For example, holding a person’s DNI, you could register a prepaid SIM card in their name. The phone number could later be used for illegal activities involving unknowing victims.

The company has not responded to questions about whether it plans to inform affected users, so they are likely exposed to these threats without knowing.

The Cybernews research previously revealed another massive leak in South America, where 223 million records with Cadastro de Pessoas Físicas (CPF) numbers of Brazilian citizens were leaked online. The number of leaked records implies that the entire Brazilian population might be affected by the leak.

Cybernews researchers advise implementing the following security measures:

ADVERTISEMENT
  • Adjust the access controls to limit public access and enhance the security of the bucket. Update permissions to ensure that only authorized users or services have the appropriate access
  • Review access logs retrospectively to determine if unauthorized entities have accessed the bucket
  • Enable server-side encryption to safeguard data at rest
  • Use AWS Key Management Service (KMS) to manage encryption keys securely
  • Implement SSL/TLS to secure data during transit and ensure protected communication
  • Consider adopting security best practices, such as conducting regular audits, implementing automated security checks, and providing employee training
  • Leak discovered: November 13th, 2024
  • Initial disclosure: November 27th, 2024
  • CERT contacted: January 13th, 2025
Share
Post
Share
Share
Share
More from Cybernews
Can a dumbphone help you with excessive smartphone use?
Papua New Guinea shuts down Facebook, but that won’t stop users
Russian crypto exchange popular among ransomware gangs is reborn two weeks after its crackdown
Whistleblowers help Binance catch and suspend insider trader
Financing your fried chicken? Buy Now, Pay Later creeps into fast food
Massive OPSEC oversight: top-secret Yemen war plans sent to journalist on Signal
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked