The service marketplace platform Yoojo has exposed over 14 million files, including passports, communication screenshots, phone numbers, and other sensitive information.
Yoojo, a popular European platform for connecting individuals with various local service providers, inadvertently revealed millions of sensitive files, the Cybernews research team has discovered.
A misconfigured cloud storage bucket exposed 14.5 million files. Some of the files revealed service provider government-issued IDs, while others had chats between different app users.
Yoojo, formerly known as Youpijobs, works like Uber but for various jobs. Users can connect and hire a local gardener, dog walker, or babysitter. The service is popular in the UK, France, Spain, Netherlands, and other countries. The Yoojo app has over half a million downloads on the Google Play store.
The exposed data was accessible for at least 10 days. While there’s no indication of misuse so far, if our team were able to uncover the exposed bucket, so could actors with less high-minded intentions at heart.
The data is no longer exposed, as Yoojo fixed the issue after our researchers contacted the company. We have also reached out to Yoojo for official comment and will update the article once we receive a reply.
What Yoojo data leaked online?
According to the team, the exposed bucket revealed sensitive details about customers and service providers alike, including:
- Names and surnames
- Passports
- Other government-issued IDs
- Text messages
- Phone numbers
Researchers believe that exposing such details endangers individuals, as attackers could utilize the leaked details for identity theft and various scams.
Since customer providers’ phone numbers were leaked, attackers could use this data to set up fake communications, demanding payment for services from app users.
“Leaked personal details enables attackers to create highly targeted phishing, vishing, and smishing campaigns. Fraudulent emails and SMS scams could involve impersonating Yoojo service providers asking for sensitive information like payment details or verification documents,” researchers said.
Moreover, exposing personal details elevates the risk of harassment, as personal details enable various actors to stalk and blackmail users.
To avoid similar issues happening in the future, our team advises Yoojo to:
- Change the access controls to restrict public access and secure the bucket.
- Update permissions to ensure that only authorized users or services have the necessary access.
- Retrospectively monitor access logs to assess whether the bucket has been accessed by unauthorized actors.
- Enable server-side encryption to protect data at rest.
- Use Key Management Service (KMS) for managing encryption keys securely.
- Enforce SSL/TLS for data in transit to ensure secure communication.
- Consider implementing security best practices, including regular audits, automated security checks, and employee training.
- Leak discovered: February 28th, 2025
- Initial disclosure: March 3rd, 2025
- CERT contacted: March 9th, 2025
- Leak closed: March 11th, 2025
Your email address will not be published. Required fields are markedmarked