Fleek shut down its operation in 2019 but did not secure its server or remove users’ data.
VpnMentor’s research team led by cybersecurity analyst Noam Rotem discovered a data breach involving the now-defunct Fleek social media app.
Cloud Misconfiguration Exposed Private Photos
The app was launched in 2016 and stopped operating in 2019. However, the app operators didn’t secure the massive amount of sensitive data they collected over the years. Resultantly, hundreds of thousands of files, many of which were explicit photos of the app users. The users thought they had deleted the files, but that obviously wasn’t the case.
What is Fleek?
The Squid Inc. owned Fleek was launched as an X-rated alternative to Campus Stories from Snapchat. It offered similar photo-sharing features but without any filtering, censorship, or moderation. Therefore, most of the exposed data include explicit images from sexual imagery to drug abuse.
The app was a massive hit among the youth, particularly college students because it promised to delete their photos automatically after a short period. That’s why users confidently posted salacious photos in which they were performing illegal or sexually explicit activities.
“If cyber-criminals obtained these images and knew how to find the people exposed, they could easily target them and blackmail them for large sums of money,” researchers noted.
According to vpnMentor’s research team, they discovered the misconfigured AWS S3 bucket on 13 October 2020. The photos were being stored much before the app seized operating, which exposed a scam potentially developed by the app operators, as they might be monetizing it by targeting users with “fake chatbot accounts.”
Most of the images were shared in folders and the app developers had titled them with “offensive and derogatory names like ‘asianAss.'”
The team of researchers discovered 377,000 files stored in the 32 GB AWS S3 bucket. The exposed data included photos and bot scripts, so the researchers believe it could be related to a paid chat room service promoted by the app owners. They have created bot accounts after stealing photos of women to chat with users, who had to pay to chat with them.
The exposed bucket was secured within a week when the research team notified Squid Inc and AWS about the exposure. Whether they deleted the data or not remains unclear.
“It’s also important to know what happens to your data after a company that has collected it goes bankrupt or shuts down. Often, with smaller companies, the owner maintains possession of the data, and there’s very little accountability stopping them from misusing it or sharing with others in the future,” researchers wrote, warning users about the consequences of ignoring online data sharing best practices.