X-rated social media app Fleek exposed explicit photos of users

Fleek shut down its operation in 2019 but did not secure its server or remove users’ data. Here’s what was leaked and when.

Fleek shut down its operation in 2019 but did not secure its server or remove users’ data.

VpnMentor’s research team led by cybersecurity analyst Noam Rotem discovered a data breach involving the now-defunct Fleek social media app.

Cloud Misconfiguration Exposed Private Photos

The app was launched in 2016 and stopped operating in 2019. However, the app operators didn’t secure the massive amount of sensitive data they collected over the years. Resultantly, hundreds of thousands of files, many of which were explicit photos of the app users. The users thought they had deleted the files, but that obviously wasn’t the case.

See: 3TB of clips from exposed home security cameras posted online

What is Fleek?

The Squid Inc. owned Fleek was launched as an X-rated alternative to Campus Stories from Snapchat. It offered similar photo-sharing features but without any filtering, censorship, or moderation. Therefore, most of the exposed data include explicit images from sexual imagery to drug abuse.

The app was a massive hit among the youth, particularly college students because it promised to delete their photos automatically after a short period. That’s why users confidently posted salacious photos in which they were performing illegal or sexually explicit activities.

“If cyber-criminals obtained these images and knew how to find the people exposed, they could easily target them and blackmail them for large sums of money,” researchers noted.

The Discovery

According to vpnMentor’s research team, they discovered the misconfigured AWS S3 bucket on 13 October 2020. The photos were being stored much before the app seized operating, which exposed a scam potentially developed by the app operators, as they might be monetizing it by targeting users with “fake chatbot accounts.”

Most of the images were shared in folders and the app developers had titled them with “offensive and derogatory names like ‘asianAss.'”

 Hi, Thank you for reaching out. We do accept guest/sponsored posts as long as they are related to cybersecurity and technology. Please note that we don't accept links related to casinos, gambling, and essay writing. We charge per backlink and the price for 1 article with 1 permanent do-follow link is $200.    Let me know if I can help with anything else.  

Exposed Data

The team of researchers discovered 377,000 files stored in the 32 GB AWS S3 bucket. The exposed data included photos and bot scripts, so the researchers believe it could be related to a paid chat room service promoted by the app owners. They have created bot accounts after stealing photos of women to chat with users, who had to pay to chat with them.

 Hi, Thank you for reaching out. We do accept guest/sponsored posts as long as they are related to cybersecurity and technology. Please note that we don't accept links related to casinos, gambling, and essay writing. We charge per backlink and the price for 1 article with 1 permanent do-follow link is $200.    Let me know if I can help with anything else.  

The exposed bucket was secured within a week when the research team notified Squid Inc and AWS about the exposure. Whether they deleted the data or not remains unclear.

See: 845GB of sensitive explicit data on niche dating apps users exposed online

“It’s also important to know what happens to your data after a company that has collected it goes bankrupt or shuts down. Often, with smaller companies, the owner maintains possession of the data, and there’s very little accountability stopping them from misusing it or sharing with others in the future,” researchers wrote, warning users about the consequences of ignoring online data sharing best practices.

Did you enjoy reading this article? Don’t forget to like our page on Facebook and follow us on Twitter

Total
0
Shares
Related Posts