Fortune-telling website exposes 13M+ user records

WeMystic, a website on astrology, numerology, tarot, and spiritual orientation, left an open database exposing 34GB of sensitive data about the platforms' users.

Telling the future is a tricky business, and failure to foretell your own mishaps doesn't help. The content platform WeMystic is a good example of this, with the Cybernews research team discovering that it exposed its users' sensitive data.

WeMystic offers its users astrology, spiritual well-being, and esotericism alongside an online shop for natural stones, chakras, tarot cards, bracelets, and other products. The platform primarily serves Brazilian, Spanish, French, and English speakers.

According to our team, WeMystic left an open and passwordless MongoDB database containing 34 gigabytes of data related to the service as part of the MongoDB infrastructure.

Businesses employ MongoDB to organize and store large swaths of document-oriented information. While WeMystic has since closed the database, researchers said that the data was accessible for at least five days.

One of the data collections in the exposed instance, named "users," contained a whopping 13.3 million records. The exposed records include:

  • Names
  • Email addresses
  • Dates of birth
  • IP addresses
  • Gender
  • Horoscope signs
  • User system data

Our research team explains that the exposure of personal user data poses security risks for those involved since attackers may build on collected data to carry out targeted attacks, even getting creative with seemingly superstitious data.

"Threat actors could potentially exploit information for malicious activities such as identity theft, phishing, spamming, and targeted advertising. Attackers could try manipulating individuals based on their spiritual and astrological beliefs, posing serious risks to users' privacy and security," researchers said.

We have asked WeMystic for comment but did not get one before publishing this article.

More from Cybernews:

KidSecurity’s user data compromised after app failed to set password

Japan’s JAXA space agency admits cyberattack

Crypto Mixer Sinbad hit with OFAC sanctions for helping DPRK hackers

US car dealer admits data breach

Meta’s “pay or consent” model under fire from EU consumer organizations

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked