• About Us
  • Contact
  • Careers
  • Send Us a Tip
Menu
  • About Us
  • Contact
  • Careers
  • Send Us a Tip
CyberNews logo
Newsletter
  • Home
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
Menu
  • Home
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
CyberNews logo

Home » Security » Australian social news platform leaks 80,000 user records

Australian social news platform leaks 80,000 user records

by Edvardas Mikalauskas
1 October 2020
in Security
0
Australian social news platform leaks 80,000 user records
189
SHARES

To increase efforts to secure user data, Snewpit will be reviewing “all server logs and access control settings” to confirm that no unauthorized access took place and to ensure that “user data is secure and encrypted.”

The CyberNews investigations team discovered an exposed data bucket that belongs to Snewpit, an Australian news sharing platform. The unsecured bucket contains close to 80,000 user records, including usernames, full names, email addresses, and profile pictures.

The files that contain the records were stored on a publicly accessible Amazon Web Services (AWS) server, which means that anyone with a direct URL to the files could access and download the data that was left out in the open.

On September 24, the sensitive files in the Snewpit bucket were secured by the company and are no longer accessible.

To see if your email address has been exposed in this or other security breaches, use our personal data leak checker.

What data is in the bucket?

The exposed Snewpit Amazon AWS bucket contained 26,203 files, including:

  • 256 video files filmed and uploaded by Snewpit users and developers
  • 23,586 image files of photos documenting local events that were apparently uploaded by the users
  • 4 CSV files, one of which contained 79,725 user records, including full names, email addresses, usernames, user descriptions, last login times, and total time spent in the Snewpit app, among other metrics

Aside from the user records, the bucket also contained thousands of user profile pictures.

Examples of exposed records

Here are some examples of the user records, videos, and images left on the exposed Snewpit bucket.

The CSV file contains user records for what we assume to be users who downloaded and installed the Snewpit app, which currently has 50,000+ installs on Apple’s App Store and Google’s Play store.

The video files stored in the bucket seem to show raw footage from news posts, including criminal incidents.

There were also user profile pictures among the files stored in the bucket.

Who owns the bucket?

The publicly available Amazon bucket appears to belong to Snewpit, a software company based in Australia. Snewpit is a map-based peer-to-peer app that allows users to create, find, and share real-time news updates, as well as receive notifications for news posted within 5 kilometers of their location. 

According to the developers, the app is aimed at helping users “form a worldwide community of citizen journalists, reporting and discovering local news and events happening around them.”

The app is mostly used by Australians, with small userbases currently located in the US and the UK.

Who had access to the data?

According to Snewpit founder Charlie Khoury, the bucket has been exposed for 5 weeks since the development team made server changes to the system reporting. While Snewpit have not noticed any suspicious activity, the company is reviewing all server logs to confirm that this is the case.

”We will be reviewing all access control settings and ensuring our user data is secure and encrypted. We take our data and security seriously and will endeavour to make sure this does not happen again.” -Charlie Khoury

With that said, the files were stored on a publicly accessible Amazon S3 server, and bad actors can find unprotected Amazon buckets relatively easily. Since these buckets lack any sort of protection from unauthorized access, there is a possibility that the data may have been accessed by bad actors for malicious purposes during the 5-week period.

What’s the impact of the leak?

Fortunately, the files stored in the exposed Snewpit bucket don’t contain any deeply sensitive information like personal document scans, passwords, or social security numbers. However, even this data can be enough for bad actors to abuse for a variety of malicious purposes:

  • Contact details like full names and email addresses can be used by phishers and scammers to commit targeted attacks against the exposed Snewpit users by sending them malicious spam emails
  • Particularly determined cybercriminals can combine the data found in this bucket with previous breaches in other verticals in order to build more accurate profiles of potential targets for identity theft

What happened to the data?

We discovered the Snewpit bucket on September 24 and immediately reached out to the company in order to help secure the bucket. The Snewpit team responded within minutes and secured the files containing user records on the same day.

What to do if you’ve been affected by the leak?

If you have a Snewpit account, there is a high chance that your records may have been exposed in this breach. To secure your data and avoid any potential harm from bad actors, we recommend doing the following:

  1. Use our personal data leak checker to see if your email address has been leaked.
  2. Immediately change your email password and consider using a password manager.
  3. Enable two-factor authentication (2FA) on your email and other online accounts.
  4. Look out for incoming spam emails and phishing messages. Don’t click on anything that looks even remotely suspicious, including emails from senders you do not recognize. 
Share189TweetShareShare

Related Posts

TikTok logo

Potentially massive TikTok vulnerability patched

28 January 2021
The satellite-hacker’s guide to the space industry: don’t panic (yet)

The satellite-hacker’s guide to the space industry: don’t panic (yet)

27 January 2021
Man in front of multiple computers

North Korea has been targeting threat researchers

27 January 2021
Teespring data leaked on hacker forum

8+ million Teespring user records leaked on hacker forum

25 January 2021
Next Post
hacker near a computer

Brief history of cybersecurity and hacking

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

I agree to the Terms & Conditions and Privacy Policy.

Popular News

  • 70TB of Parler users’ messages, videos, and posts leaked by security researchers

    70TB of Parler users’ messages, videos, and posts leaked by security researchers

    83059 shares
    Share 83049 Tweet 0
  • 8 best cybersecurity podcasts for 2021

    56 shares
    Share 56 Tweet 0
  • Walmart-exclusive router and others sold on Amazon & eBay contain hidden backdoors to control devices

    13365 shares
    Share 13361 Tweet 0
  • The ultimate guide to safe and anonymous online payment methods in 2021

    13 shares
    Share 13 Tweet 0
  • Network Attached Storage

    0 shares
    Share 0 Tweet 0
Is PayPal’s crypto move a game-changer for bitcoin?

Cryptocurrency crime drops in 2020 but ‘DeFi’ breaches rise, study finds

28 January 2021
Privacy is an illusion. But that‘s a good thing

Privacy is an illusion. But that‘s a good thing

28 January 2021
Will quantum cryptography break classical encryption?

Will quantum cryptography break classical encryption?

28 January 2021
TikTok logo

Potentially massive TikTok vulnerability patched

28 January 2021
The U.S. flag is seen on a building on Wall St.

Costly short squeeze makes Reddit required reading on Wall Street

28 January 2021
Huawei logo display

White House vows to protect U.S. telecoms network from Huawei security threat

28 January 2021
Newsletter

Subscribe for security tips and CyberNews updates.

Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!
Categories
  • News
  • Editorial
  • Security
  • Privacy
  • Resources
  • VPNs
  • Password Managers
  • Secure Email Providers
  • Antivirus Software Reviews
Tools
  • Personal data leak checker
  • Strong password generator
About Us

We aim to provide you with the latest tech news, product reviews, and analysis that should guide you through the ever-expanding land of technology.

Careers

We are hiring.

  • About Us
  • Contact
  • Send Us a Tip
  • Privacy Policy
  • Terms & Conditions
  • Vulnerability Disclosure

© 2021 CyberNews

This website uses cookies. By continuing to use this website you are giving consent to cookies being used. Visit our Privacy Policy.

Home

News

Editorial

Security

Privacy

Resources

  • About Us
  • Contact
  • Careers
  • Send Us a Tip

© 2020 CyberNews – Latest tech news, product reviews, and analyses.

Subscribe for Security Tips and CyberNews Updates
Email address is required. Provided email address is not valid. You have been successfully subscribed to our newsletter!