With messaging apps at the forefront of human interaction in the early 21st century, the security of communication is paramount. However, late last year, our team uncovered an exposed database, which researchers believe belongs to the Tokee platform.

The app has over 1M downloads on the Google Play Store, and is also available on Apple’s App Store, which doesn’t disclose the number of user downloads. The app was developed by Deucetek, a software company based in Atlanta’s metropolitan area.

According to the team, the Tokee data leak exposed around 1.2 million users, which likely represents the vast majority of the app's user base. The exposed database appears to have stored Tokee’s chat messages as well, but our researchers say the messages were encrypted.

“Although user chat messages stored in the same infrastructure appear to be encrypted using password-based OpenSSL encryption, the exposed personal data alone presents significant privacy, security, and regulatory risks,” our researchers explained.

After the team contacted the company and the responsible authorities, the exposed database was taken offline. We have reached out to the app’s makers for comment and will update the article once we receive a reply.

What Tokee user data was leaked online?

The exposed data was stored in the MongoDB database, a popular service businesses use to store and process large volumes of data. Multiple indicators pointed to the database being operated by Tokee.

The Firebase Storage URLs referenced Tokee project identifiers, the schema matched Tokee apps’ functionality, and field naming conventions aligned with the messaging-app’s user management.

Meanwhile, the leaked data revealed information, such as:

• User display names
• Phone numbers (stored as numeric values)
• Profile avatars (hosted on Firebase Storage)
• Device tokens used for push notifications
• User IDs
• Account creation and update timestamps
• “Last seen” activity indicators
• Account status flags (e.g., premium/non-premium)

“Even when message content is encrypted, exposed metadata can reveal who communicates, when, and from where, undermining user privacy,” our team explained.

researchers said.

The team did not observe indications that threat actors exploited the exposed data, but if we were able to discover the database, others may have too. Threat actors operate numerous bots set up to specifically scour the net for exposed databases.

Attackers could exploit the data to track and profile user activity and use leaked tokens for targeted phishing and spam campaigns, increasing cybersecurity risks for app users.

“For smaller messaging providers like Tokee, such incidents carry outsized reputational impact, potentially affecting user trust, adoption, and long-term viability. The case also reinforces that encryption alone is insufficient without proper infrastructure security,” our researchers concluded.

Messaging app leaks are particularly risky, as malicious actors target more prominent market players to peddle malware. Having large amounts of app users’ metadata only makes attackers’ work easier.

Disclosure timeline:

Leak discovered: December 3rd, 2025
Initial disclosure: December 3rd, 2025
Leak closed: January 19th, 2026

Unlock more exclusive Cybernews content on YouTube.