Kinomap did not respond to researchers whatsoever and left the database exposed to public access.
Another day, another data breach – This time, researchers have discovered a new trove of personal data exposed online and putting millions of unsuspected users at risk of online scams and privacy breaches.
Discovered by researchers at vpnMentor; the database belonged to Kinomap, a France based exercise technology company with millions of active subscribers. The company allows users to records their exercise and training video and share with other users. More information on how the company works is available on its Wikipedia page.
However, this time, the company has exposed 40GB worth of data containing 42 million personal records of users across the globe. These records, according to vpnMentor’s blog post, contained Personally Identifiable Information (PII) data including:
Date of joining
A full preview of the data exposed in the breach:
The worrisome part of this incident, other than the data leak, is the attitude of Kinomap. For instance, vpnMentor’s research team discovered the database on 16th March 2020 and after identifying its owner, informed the company twice on 18th March 2020, and 30th March 2020 yet Kinomap never responded to the researchers neither did they protect the database.
On 12th April 2020 though, the data was protected from public access which vpnMentor’s team believes had happened due to interference from the French Commission Nationale de l’Informatique et des Libertés (CNIL – National Commission for Data Protection). The CNIL was contacted by researchers on 31st March 2020.
A similar attitude was seen recently from “World’s most secure online backup” provider SOS Online Backup who exposed 135 million user records and never bothered to respond to researchers.
Although, these records didn’t contain passwords or payment-related data, in some cases, all cybercriminals look for is PII information which can be used for identity theft and other scams.
It is, however, unclear if the database was accessed by a third-party with malicious intent. If it did, one can expect the database to be dumped to hacker forums and dark web marketplaces. For example, just two days ago a hacker was found selling 267 million Facebook records which happened to be the same database that was leaked in December 2019 on a misconfigured Elasticsearch server.
Nevertheless, it’s bad news for Kinomap due to the fact that other than Canada, Japan, South Korea, and the United States, most of the exposed data belonged to users in European countries including Belgium, Finland, Hungary, Germany, Portugal, France, the United Kingdom. This suggests that a hefty GDPR fine might be coming its way very soon.