To increase efforts to secure user data, Snewpit will be reviewing “all server logs and access control settings” to confirm that no unauthorized access took place and to ensure that “user data is secure and encrypted.”
The CyberNews investigations team discovered an exposed data bucket that belongs to Snewpit, an Australian news sharing platform. The unsecured bucket contains close to 80,000 user records, including usernames, full names, email addresses, and profile pictures.
The files that contain the records were stored on a publicly accessible Amazon Web Services (AWS) server, which means that anyone with a direct URL to the files could access and download the data that was left out in the open.
On September 24, the sensitive files in the Snewpit bucket were secured by the company and are no longer accessible.
To see if your email address has been exposed in this or other security breaches, use ourpersonal data leak checker.
The exposed Snewpit Amazon AWS bucket contained 26,203 files, including:
Aside from the user records, the bucket also contained thousands of user profile pictures.
Here are some examples of the user records, videos, and images left on the exposed Snewpit bucket.
The CSV file contains user records for what we assume to be users who downloaded and installed the Snewpit app, which currently has 50,000+ installs on Apple’s App Store and Google’s Play store.
The video files stored in the bucket seem to show raw footage from news posts, including criminal incidents.
There were also user profile pictures among the files stored in the bucket.
The publicly available Amazon bucket appears to belong to Snewpit, a software company based in Australia. Snewpit is a map-based peer-to-peer app that allows users to create, find, and share real-time news updates, as well as receive notifications for news posted within 5 kilometers of their location.
According to the developers, the app is aimed at helping users “form a worldwide community of citizen journalists, reporting and discovering local news and events happening around them.”
The app is mostly used by Australians, with small userbases currently located in the US and the UK.
According to Snewpit founder Charlie Khoury, the bucket has been exposed for 5 weeks since the development team made server changes to the system reporting. While Snewpit have not noticed any suspicious activity, the company is reviewing all server logs to confirm that this is the case.
”We will be reviewing all access control settings and ensuring our user data is secure and encrypted. We take our data and security seriously and will endeavour to make sure this does not happen again.” -Charlie Khoury
With that said, the files were stored on a publicly accessible Amazon S3 server, and bad actors can find unprotected Amazon buckets relatively easily. Since these buckets lack any sort of protection from unauthorized access, there is a possibility that the data may have been accessed by bad actors for malicious purposes during the 5-week period.
Fortunately, the files stored in the exposed Snewpit bucket don’t contain any deeply sensitive information like personal document scans, passwords, or social security numbers. However, even this data can be enough for bad actors to abuse for a variety of malicious purposes:
We discovered the Snewpit bucket on September 24 and immediately reached out to the company in order to help secure the bucket. The Snewpit team responded within minutes and secured the files containing user records on the same day.
If you have a Snewpit account, there is a high chance that your records may have been exposed in this breach. To secure your data and avoid any potential harm from bad actors, we recommend doing the following:
(SecurityAffairs – hacking, Snewpit)