At the time of writing, the total number of impacted customers was 65,000; however, at the time of publishing this article, the number had increased to 67,000, meaning the leak is ongoing.
MyQRcode, a popular Sofia, Bulgaria-based QR code generator website, is leaking the personal data of its users. The security breach or data leak has resulted in the leakage of over 128 GB of data, including the personal information of 66,000 customers.
The leak was caused by misconfiguration, making the server publicly accessible to the public without any security authentication or password. What’s worse, it was also noted that the data was being actively updated with new records each day, indicating that the leak was still ongoing.
On the other hand, the leaked data includes personal and login credentials of My QR Code customers, including the following information:
- Full names
- Job title
- Email addresses
- Password hashes
- URLs to QR codes
- Phone numbers
- Physical addresses
- Alternative phone numbers
- Links to social media profiles
- States, postcodes and country
- Links to users’ personal, business, or company websites
Security researcher Anurag Sen exclusively reported the leak to Hackread.com. Sen discovered the server on Shodan while searching for misconfigured cloud databases.
For your information, Shodan is an OSINT tool and a specialized search engine used by cybersecurity researchers to locate vulnerable Internet of Things (IoT) devices, including servers and misconfigured databases on the internet.
Upon further investigation with CloudDefenseAI, it was discovered that new records were being actively added to the data each day. For instance, at the time of writing, the total number of impacted customers was 65,000 however at the time of publishing this article, the number increased to 67,000.
This leak can have serious consequences for the affected customers. Cybercriminals and scammers can potentially use the leaked data to carry out identity theft, phishing attacks, or physical crimes since the addresses of users are part of the leak.
Here, it is worth noting that the server has been misconfigured since February 4th, 2023. MyQRcode was informed about the leak last week, but the company has not responded or released a statement on the matter. It is also unclear how long the server has been left unprotected, or if it has been accessed by a third party with malicious intent.
In the meantime, Hackread.com can advise customers who have used MyQRcode to generate QR codes to be vigilant about any suspicious activity on their accounts and to monitor their personal information closely. It is also recommended that they change their passwords and enable two-factor authentication wherever possible.
MyQRcode and GDPR
The General Data Protection Regulation in Europe (GDPR) applies to Bulgaria, as the country is one of the 27 member states of the European Union. The GDPR is implemented in Bulgaria through the Personal Data Protection Act (PDPA).
Under the GDPR, the fines for data breaches and other violations of the regulation can be up to 20 million EUR or 4% of a company’s global annual revenue, whichever is higher. In 2019, Commission for Personal Data Protection issued a BGN 5.1 million ($2,790,392) fine to the country’s National Revenue Agency for violations of the GDPR.
Nevertheless, the incident once again highlights the importance of proper cybersecurity measures, particularly in a digital world where more and more personal data is being stored online.
Companies must take every possible step to ensure the safety and security of their customer’s data, and failure to do so could result in serious consequences for everyone involved.