UltimateDrillBook (UDB) app has briefly exposed sensitive user data to threat actors, a recent Cybernews investigation revealed.
Marching bands are opting for smart apps like the UDB over traditional sheet music to economize time, finances, and preserve the environment. Introduced in 2017, the UDB app meticulously outlines the intricate aspects of performances, including positioning, member spacing, and various choreographed steps involved.
On 21st September, the Cybernews research team identified that a database with sensitive UDB user data was exposed to the internet, meaning it could have easily been discovered by threat actors.
The MongoDB database contained over 112,000 user details, and they are as follows:
- First and last name
- Hashed passwords
- Ensemble/school details
- Authentication token
- Restore codes
The exposure of such data is a concerning issue since it could result in unauthorized access to users' personal information.
“Threat actors could potentially misuse this data to compromise user accounts or conduct phishing attacks. Additionally, access to ensemble and school details, authentication tokens, and restore codes could lead to unauthorized system access and data manipulation, potentially disrupting the application's intended functionality and user experience,” Cybernews researchers explained.
If threat actors were to dehash the protected passwords, they could use the dataset for subsequent credential stuffing attacks.
They immediately informed the company about the issue, and the dataset was secured within 24 hours of disclosure. The company hasn’t responded to journalists’ requests for an on-the-record comment.
More from Cybernews:
Subscribe to our newsletter