The CyberNews investigations team discovered an unsecured data bucket that belongs to Panion, a Swedish software company. The unprotected bucket contains more than 2.5 million user records, including full names, email addresses, genders, interests, location coordinates and last login dates, as well as selfies and document photos.
The files containing the records were left on a publicly accessible Amazon Web Services (AWS) server, allowing anyone to access and download the data.
After we contacted Amazon regarding the exposed Panion bucket, access to files containing user data was disabled.
What data is in the bucket?
The publicly available Panion Amazon S3 bucket contained 694,116 files, including:
- 693,018 image files uploaded by the developers and users, including selfies and documents shared by users in either group or private chats
- 61 CSV periodically updated files that contained what appears to be 2,596,369 user records, of which 171,855 records belonged to unique users
Aside from the user records, the bucket contained hundreds of thousands of images presumably exchanged by users of the Panion app.
What’s more, fresh files containing updated user records were added to the bucket periodically, which means that the user records were up to date.
Examples of exposed records
Here are some examples of the user records and images left on the publicly accessible Panion bucket.
Most of the CSV files contain user records for what we assume to be users who downloaded and installed the Panion app, which currently has 200,000+ installs on Google Play and App Store combined. Most of the user records seem to belong to people based in Sweden, followed by US and Danish users.
There are also user selfies and documents among the image files stored in the bucket.
Who owns the bucket?
The publicly available Amazon bucket appears to belong to Panion, a software company founded in 2018 and based in Malmö, Sweden. Panion, dubbed as the “common interest app,” is aimed at helping users build their social circles by matching nearby people based on their location, as well as common interests, values, and experiences.
The app’s promise to the users is to “bring people together through a secure and immersive virtual space that encourages them to share, connect, communicate, and engage.” Unfortunately, the security of this virtual space was compromised the moment Panion failed to protect the data bucket in question.
This data leak is especially disheartening in the context of the COVID19 lockdowns, with social media apps like Panion gaining more attention from people who are feeling increasingly isolated by the pandemic and are turning to technology in order to cope with the debilitating psychological and social effects of the lockdowns.
Who had access to the data?
The bucket was hosted on an Amazon AWS server that has been exposed for an unknown period. It’s unclear if any bad actors have accessed the data stored in the bucket.
Due to the fact that unprotected Amazon S3 buckets are fairly easy to find and access without any authorization procedures, anyone who knows where to look could have accessed and downloaded the files.
What’s the impact of the leak?
Even though the files in the publicly available Amazon S3 bucket do not contain deeply sensitive personal information like passwords, credit card data or social security numbers, bad actors can use the personal details in the database for a variety of malicious purposes:
- Contact details like names and email addresses can be enough for phishers and scammers to commit targeted attacks against the exposed users via spam emails, while their stated interests can be used against them in social engineering campaigns
- Determined criminals can combine the names and email addresses found in this bucket with other cyber breaches to build profiles of potential targets for identity theft
- The location coordinates of these users can potentially be used for breaking and entering or cyberstalking
What happened to the data?
We found the Panion bucket on September 17 and immediately reached out to the company about the leak. However, we received no response from Panion.
On September 25, we contacted Amazon in order to close the unsecured bucket, and they disabled public access to the server.
What to do if you’ve been affected by the leak?
If you have a Panion app account, there’s a high possibility that your data may have been exposed in this leak. In order to secure your data and avoid any potentially negative consequences of the breach, we recommend doing the following:
- Immediately change your email password and consider using a password manager.
- Look out for potential spam emails and phishing messages popping up in your inbox. Do not click on anything suspicious, including emails from unknown senders.