Millions of Digital Wallets Exposed by Key Ring

The popular digital wallet application Key Ring recently exposed information belonging to millions of its users, vpnMentor reports.

Key Ring is an application that creates a digital wallet on the user’s phone and allows them to upload scans and photos of membership and loyalty cards, but many also use it to store copies of IDs, driver’s licenses, credit cards, and the like.

The company was founded in 2009 and claims to have 14 million users that stored 60 million cards last year. The company no longer serves users in the European Union, as it is not compliant with GDPR.

vpnMentor discovered that a misconfigured Amazon Web Services (AWS) S3 bucket from the company exposed the user uploads. Four other unsecured S3 buckets belonging to Key Ring were also found, each exposing more sensitive data.

“These unsecured S3 buckets were a goldmine for cybercriminals, making millions of people across North America vulnerable to various forms of attack and fraud,” vpnMentor notes.

Popular storage solutions on AWS, S3 buckets offer robust security features, but misconfigurations could leave them exposed to anyone with a web browser, and this is what happened in Key Ring’s case as well.

While it’s uncertain for how long the company’s buckets were left open, vpnMentor reveals that they were first picked up by its scanning tools in January.

Once they confirmed the leak, vpnMentor’s researchers contacted Key Ring and AWS on February 18, and the buckets were secured shortly after (February 20).

One AWS S3 bucket included more than 44 million images uploaded by Key Ring users, including scans of government-issued IDs, retail club membership and loyalty cards, NRA membership cards, gift cards, credit cards with all details exposed (including CVV), medical insurance cards, medical marijuana ID cards, and more.

The bucket also contained CSV files storing membership lists and reports for some of North America’s most prominent retail brands, which use Key Ring as a marketing platform. Thus, the bucket exposed personally identifiable information (PII) belonging to millions of people.

Affected companies included Walmart/Kleenex (approximately 16,000,000 users), La Madeleine Bakery chain (~6,600), Footlocker, and Mattel (~2,000).

PII exposed in the La Madeleine Bakery list included full names, email addresses, membership ID numbers, dates of birth, and locations and Zip codes.

Four other buckets vpnMentor discovered were holding even more private data, including a snapshot of the company’s database containing highly sensitive information about its users, such as emails, home addresses, device and IP address information, and hashed passwords and their corresponding cryptographic salt.

“In total, five S3 buckets belonging to Key Ring were exposed, all containing valuable, private information that could have serious security implications for millions of people,” vpnMentor notes.

Related: AWS S3 Buckets Exposed Millions of Facebook Records

Related: AWS Security Service ‘Amazon Detective’ Now Generally Available