A recent discovery by the security researchers team at Safety Detectives has revealed that reams of personal data such as SMS and call records of mobile loan apps’ users in China were left unprotected and open for anybody on the internet to access. The data leak from the China-based server is estimated to be nearly 1TB.
While the company responsible for the leak wasn’t singled out so far, it was however found that there is a high likelihood that it might be a marketing agency for mobile applications. The leaked database is a treasure trove of data related to more than 100 loan-related apps. The server provider is Aliyun Computing Co., and it is in no way related to the breach as it merely rented server space to the company responsible for the leak.
According to the security research team at Safety Detectives, a simple search through the database discovered credit evaluation reports containing personal and sensitive data such as loan records, risk management data, name, address, contact number, and real ID numbers.
Apart from the aforementioned user data, other device data ranging to over 4.6 million unique entries were found in the database. GPS location, contact list, SMS log, IMEI numbers, app data, memory data, banking details, device location, passwords with poor encryption and operator reports were a few among the several pieces of information readily available in the leaked database.
The database revealed that the applications had tracked their users very precisely. Such hyper-tracking is a strict violation of privacy followed by several marketing agencies across the world to better target their customers and fine-tune their offerings.
Generally speaking, mobile phone account information is sufficient to find out everything about a person. In such a case, an openly available database that stores mobile phone account information alongside other sensitive information such as account details and transaction details is a significant privacy threat.
The details currently found in the database are adequate for someone to overtake the real identity of a person. We are yet to know more about this elastic database and if or whether someone would claim ownership and quickly secure it to avoid any potential dangers.