Personal Data (Incl. SMS & Calls) of Mobile Loan App Users in China Left OPEN for ALL to See

Jim Wilson of Safety Detectives reports on some of their team’s recent findings:

Safety Detectives’ research team has recently discovered a sizeable data leak (over 899gb and growing by the day) of a China-based server, which has now been closed. We are unable to confirm the company behind the leak, but according to the data, it appears to most likely be a marketing agency for mobile apps. The provider of the server is Aliyun Computing Co., but they only rented the server to the company and are not otherwise involved or responsible for the leak.

Ugh. With Safety Detective’s kind permission, I am going to reproduce some of their post here to show how much data was exposed by this misconfigured elasticsearch. Let’s start with the credit evaluation reports that they found, which contain:

  • Loan records and details
  • Risk management data
  • Real ID numbers
  • Personal details
    • Name
    • Address
    • Contact number

What’s Being Leaked?

Our team also found:

  • Device data – over 4.6 million unique entries
    • GPS location
    • Detailed list of contacts
    • SMS logs
    • IMSI numbers
    • IMEI numbers
    • Device model/version
    • Stored app data
    • Memory data
  • Operator reports
  • Transaction details
  • Mobile billing invoices
    • Full names
    • Phone numbers
    • Bill amount per month
    • Call log
    • Credit and debit card details
  • Concentrated list of apps on each mobile device
  • Detailed tracking of app behavior
    • Device information
    • Device location
    • Launch & exit times
    • Duration on the content, etc.
  • Passwords with MD5 encryption, which can be decoded

Read Safety Detective’s complete report on their site.

About the author: Dissent