Oyetalk, the Android Voice Chat App With 5M Downloads Leaked Private User Conversations
- Written by Ari Denial Cybersecurity & Tech Writer
OyeTalk, a popular app for voice chats, left user chats unencrypted and stored them on an unprotected database without a password.
With over five million downloads on the Google Play Store and a 4.1 out of 5-star rating from 21,000 reviews, OyeTalk is a popular voice-chat app. The platform enables users to engage in discussion rooms on diverse topics and host podcasts. The app is promoted on the website as one of the fastest-growing audio talent-hosting applications, which can be downloaded in over 100 countries.
Unprotected access to Firebase, Google’s mobile application development platform that provides cloud-hosted database services, caused data leakage. Over 500MB of data, including unencrypted user chats, usernames, and cell phone International Mobile Equipment (IMEI) numbers, was exposed.
Furthermore, it was reported that sensitive hardcoded data, such as Google API (application programming interface), was present on the client side of the app. This is considered unsafe because it can be easily accessed through reverse engineering.
Before the most recent data leak, the OyeTalk app had already experienced prior security breaches. According to an investigation, an unidentified party previously identified and flagged the app’s database as susceptible to data leaks. This discovery was likely made without malicious intent. The database also had specific fingerprints, referred to as “Proof of Compromise (PoC),” which are typically used to indicate open Firebases.
According to CN, “hardcoding sensitive data into the client side of an Android app is unsafe, as in most cases it can be easily accessed through reverse engineering. In the past, this sloppy security practice has been successfully exploited by threat actors in other apps, resulting in data loss or complete takeover of user data stored on open Firebases or other storage systems.”
Although the app developers were notified of the data leak, they neglected to restrict public access to the database. However, since the extent of the leak was significant, Google’s security measures intervened and terminated the instance. A notification was issued indicating that the dataset was too voluminous to download in a single attempt.
Social Security Numbers of Over 1,80,000 Illinoisans Hacked by Threat Actors
- Written by Ari Denial Cybersecurity & Tech Writer
As a result of the attack on Lutheran Social Services of Illinois (LSSI), hackers gained access to individual names, dates of birth, financial records, sensitive medical diagnosis and treatment information, Social Security numbers (SSNs), and more personal information.
On 27 January 2022, a non-profit social service provider in Illinois, Lutheran Social Services of Illinois (LSSI) stated that the organization was hit by a severe ransomware attack. After identifying the attack, they promptly disabled and isolated the affected systems. A thorough investigation was started immediately.
“After an extensive forensic investigation and comprehensive review of the data impacted, we determined the extent that the unauthorized party accessed certain files containing personal and health information that were maintained on the affected systems. The types of information potentially involved may include individual names, dates of birth, Social Security numbers, financial account information, driver’s license numbers, biometric information, medical diagnosis and treatment information, and health insurance information. We are notifying potentially affected individuals via mail,” said the LSSI officials .
According to a data breach notification sent to the Maine Attorney General, more than 1,84,000 people were affected by the cyberattack.
On January 25, 2023, almost a year after the nonprofit discovered its systems had been breached, LSSI sent letters to potentially affected users. There was no evidence that the stolen data had been used for identity theft or financial fraud, according to LSSI. Threat actors, on the other hand, can sit on stolen data for a while before selling it, or they can compile it into larger sets before selling it at a higher price.
“Involved individuals are encouraged to take steps to protect themselves against identity fraud, including placing a fraud alert/security freeze on their credit files, obtaining free credit reports, and remaining vigilant in reviewing financial account statements and credit reports for fraudulent or irregular activity on a regular basis,” suggested the officials.
