Security Experts:

Connect with us

Hi, what are you looking for?



Millions of Digital Wallets Exposed by Key Ring

The popular digital wallet application Key Ring recently exposed information belonging to millions of its users, vpnMentor reports.

The popular digital wallet application Key Ring recently exposed information belonging to millions of its users, vpnMentor reports.

Key Ring is an application that creates a digital wallet on the user’s phone and allows them to upload scans and photos of membership and loyalty cards, but many also use it to store copies of IDs, driver’s licenses, credit cards, and the like.

The company was founded in 2009 and claims to have 14 million users that stored 60 million cards last year. The company no longer serves users in the European Union, as it is not compliant with GDPR.

vpnMentor discovered that a misconfigured Amazon Web Services (AWS) S3 bucket from the company exposed the user uploads. Four other unsecured S3 buckets belonging to Key Ring were also found, each exposing more sensitive data.

“These unsecured S3 buckets were a goldmine for cybercriminals, making millions of people across North America vulnerable to various forms of attack and fraud,” vpnMentor notes.

Popular storage solutions on AWS, S3 buckets offer robust security features, but misconfigurations could leave them exposed to anyone with a web browser, and this is what happened in Key Ring’s case as well.

While it’s uncertain for how long the company’s buckets were left open, vpnMentor reveals that they were first picked up by its scanning tools in January.

Once they confirmed the leak, vpnMentor’s researchers contacted Key Ring and AWS on February 18, and the buckets were secured shortly after (February 20).

One AWS S3 bucket included more than 44 million images uploaded by Key Ring users, including scans of government-issued IDs, retail club membership and loyalty cards, NRA membership cards, gift cards, credit cards with all details exposed (including CVV), medical insurance cards, medical marijuana ID cards, and more.

The bucket also contained CSV files storing membership lists and reports for some of North America’s most prominent retail brands, which use Key Ring as a marketing platform. Thus, the bucket exposed personally identifiable information (PII) belonging to millions of people.

Affected companies included Walmart/Kleenex (approximately 16,000,000 users), La Madeleine Bakery chain (~6,600), Footlocker, and Mattel (~2,000).

PII exposed in the La Madeleine Bakery list included full names, email addresses, membership ID numbers, dates of birth, and locations and Zip codes.

Four other buckets vpnMentor discovered were holding even more private data, including a snapshot of the company’s database containing highly sensitive information about its users, such as emails, home addresses, device and IP address information, and hashed passwords and their corresponding cryptographic salt.

“In total, five S3 buckets belonging to Key Ring were exposed, all containing valuable, private information that could have serious security implications for millions of people,” vpnMentor notes.

Related: AWS S3 Buckets Exposed Millions of Facebook Records

Related: AWS Security Service ‘Amazon Detective’ Now Generally Available

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Protection

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.