Marching band drill app leaks user data, including passwords

UltimateDrillBook (UDB) app has briefly exposed sensitive user data to threat actors, a recent Cybernews investigation revealed.

Marching bands are opting for smart apps like the UDB over traditional sheet music to economize time, finances, and preserve the environment. Introduced in 2017, the UDB app meticulously outlines the intricate aspects of performances, including positioning, member spacing, and various choreographed steps involved.

On 21st September, the Cybernews research team identified that a database with sensitive UDB user data was exposed to the internet, meaning it could have easily been discovered by threat actors.

The MongoDB database contained over 112,000 user details, and they are as follows:

  • First and last name
  • Hashed passwords
  • Ensemble/school details
  • Authentication token
  • Emails
  • Restore codes

The exposure of such data is a concerning issue since it could result in unauthorized access to users' personal information.

“Threat actors could potentially misuse this data to compromise user accounts or conduct phishing attacks. Additionally, access to ensemble and school details, authentication tokens, and restore codes could lead to unauthorized system access and data manipulation, potentially disrupting the application's intended functionality and user experience,” Cybernews researchers explained.

If threat actors were to dehash the protected passwords, they could use the dataset for subsequent credential stuffing attacks.

They immediately informed the company about the issue, and the dataset was secured within 24 hours of disclosure. The company hasn’t responded to journalists’ requests for an on-the-record comment.

More from Cybernews:

Half of cybersecurity jobs might not be real, wasting time for everyone

Entire population of Brazil possibly exposed in massive data leak

CES 2024: spatial computing, smart homes, and revolutionary pet tech

Star Trek cast now in orbit, but moon burial abandoned due to fuel lea

The hidden truth behind e-receipts: are they a privacy backdoor?

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked