Popular avatar app Boomoji exposed millions of users’ contact lists and location data

Zack Whittaker reports:

Popular animated avatar creator app Boomoji, with more than five million users across the world, exposed the personal data of its entire user base after it failed to put passwords on two of its internet-facing databases.


The China-based app developer left the ElasticSearch databases online without passwords — a U.S.-based database for its international customers and a Hong Kong-based database containing mostly Chinese users’ data in an effort to comply with China’s data security laws, which requires Chinese citizens’ data to be located on servers inside the country.


Anyone who knew where to look could access, edit or delete the database using their web browser. And, because the database was listed on Shodan, a search engine for exposed devices and databases, they were easily found with a few keywords.

Read more on TechCrunch.  Reportedly, Boomoji did not provide an accurate answer or explanation when TechCrunch reached out to them, leading TechCrunch to practice skills U.S. journalists are getting a lot of practice at — the art of calling someone a liar.

After TechCrunch reached out, Boomoji pulled the two databases offline. “These two accounts were made by us for testing purposes,” said an unnamed Boomoji spokesperson in an email.

But that isn’t true.

Read the rest of Zack’s report to find out how they proved that Boomoji’s assertion wasn’t accurate. 

About the author: Dissent