ADVERTISEMENT

Horror story app Chilling haunted by loose permissions, spilling data

There is no autocorrect for cybersecurity, and one mistake can leave doors for attackers open for months. Chilling, a subscription-based app featuring narrated horror stories, was discovered leaking user data and sensitive secrets for nine months.

Chilling App research

Image by Cybernews.

Ernestas Naprys
Ernestas Naprys Senior Journalist
Aug 13, 2024 Updated: 8 December 2025 3 min read
ADVERTISEMENT

What was in the leak?

  • Multiple credentials for databases, such as ‘users,’ ‘video,’ ‘story,’ and others.
  • AWS ID, access key, bucket name, and bucket path.
  • SSL private key and SSL fullchain certificate.
chilling-leak
  • Investigate access logs to identify whether any threat actors have accessed the exposed sensitive information.
  • Rotate all exposed credentials to mitigate risks.
  • Implement stricter access controls, use environment-specific configurations, and encrypt sensitive data at rest and in transit.
  • Ensure multi-factor authentication (MFA) is enabled so that all users can add an additional layer of security in case the account gets compromised.
  • Inform the affected users and regulators if needed.
ADVERTISEMENT