Astrology app exposes locations of 6M users, founders likely linked to Russia


The Moonly app has leaked employee credentials and the GPS locations of a staggering number of users. The leak also suggests that the company, ostensibly headquartered in the US, might be largely operated from Russia.

On June 18th, the Cybernews research team discovered a publicly accessible Google Cloud Storage bucket belonging to Cosmic Vibrations Inc., a company that manages lunar tracking and an astrological app called Moonly.

The bucket stored a database backup from April 19th, 2024. This backup exposed the app’s admin credentials and the private data of six million Moonly users, including exact GPS coordinates of where user accounts were created.

“It’s likely that the GPS location of where users created their accounts would match the GPS location of their homes, meaning that the impact could be similar to leaking their home address,” said Aras Nazarovas, a security researcher at Cybernews.

Moonly app data leak
User locations dates of birth

The leaked data included:

  • Prompts for AI-generated images
  • AI-written motivational messages
  • AI-generated Tarot card readings
  • GPS locations of where the account was created
  • Dates of birth
  • Astrological information
  • User device metadata
  • Email addresses of 90,000 customers
  • Employee credentials and IP addresses

Malicious actors may exploit this private data to use in targeted attacks. Although the leaked employee passwords were hashed using a relatively secure algorithm, it may still be possible to crack some of them. If cracked, attackers could take over employee accounts and access more sensitive information from other company systems.

Moonly app data leak
Employee emails and passwords
Moonly app data leak
Employee emails, passwords, and IP addresses

Ties to Russia

Founded in 2020, Cosmic Vibrations officially lists its headquarters in San Francisco, US. However, the data leak has led researchers to assess that the company is actually operated from Russia.

A leaked database backup reveals that the company’s employees logged on to Moonly’s systems from the Russian Federation, Belarus, and Indonesia. None of them connected from residential US IP addresses.

Further indications linking the app to Russia included references in the bucket's name, and the "Admin" users listed in the data tables had Russian surnames.

The company failed to be transparent about its operations in Russia, as they are not publicly disclosed. While the app’s development and administration are likely done outside the US, the company uses US and EU-based infrastructure to store data and cover tracks leading back to Russia.

Moonly app data leak
User email addresses
Moonly app data leak
AI-generated image prompts

In the midst of Russia’s aggression on Ukraine and various cyber frontiers, and worldwide economic sanctions on Russia, unsuspecting app users might be sending their data to Russian entities and funding a Russia-run company.

“Leaked backend information suggests that it is very likely that the service is largely, if not fully, operated from Russia. In the current geopolitical climate, this information could have otherwise caused users to not use the app for political reasons if it had been transparently provided to its users,” explained Nazarovas.

“This information could have also been kept secret to avoid sanctions against the Russian Federation and affiliated businesses.”

Just last month, the US banned Russian-made Kaspersky software for posing a “significant risk” to US infrastructure and services. The US ban builds on previous waves of bans across Europe.

The company responds

Cybernews contacted Moonly, and the company restricted access to the open storage bucket.

“At Moonly, we prioritize information security and are continually vigilant in our efforts to protect our users’ data. We regret any concern this incident may have caused and are committed to ensuring the highest standards of data protection moving forward,” said a company spokesperson.

A spokesperson highlighted that Cosmic Vibrations Inc. is a US-based company registered in Delaware, USA. However, the staff consists of “a global team stationed around the world.”

Article was updated on August 9th, 2024, to include the company's comment.