Public Cloud Bucket Exposure puts 10 Million Pray.com Members at Risk
Dec 16, 2020
This past month daily prayer and bible app, Pray.com was found to have exposed the data of approximately 10 million people through several open, publicly accessible cloud databases (Amazon Web Services S3 buckets). Amongst the 1.9 million files left exposed, researchers found 80,000 to contain personal identifiable information (PII). These files included church attendee’s names, home and email addresses, phone numbers, and marital status. More concerning was the other data researchers found Pray.com to be holding onto. Depending on the permissions users granted, Pray.com had access to your phonebook files, donation records, some photos, and were storing the information of non-users without their permission.
“The people whose data Pray.com had stored in these phonebook files were not app users; they were simply people whose contact details had been saved on a Pray.com user’s device. In total, we believe Pray.com stored up to 10 million peoples’ private data without their direct permission – and without its users realizing they were allowing it to happen.”vpnMentor.
The exposure of 10 million people’s information is immense, but what’s concerning is the excessive storage of data, which allowed this exposure to be so extensive. Storing users’ entire contact lists allowed cybercriminals to access hundreds of individual contacts from users, revealing non-users’ names, phone numbers, emails, home and business addresses, and other details. The long lists of donations processed by Pray.com allowed for insight into user’s finances, and the storage of some photos unnecessarily invaded users’ privacy.
“This breach is about two primary themes – first, making sure an organization has cloud configurations locked down appropriately. The second is making sure the organization clarifies what data is being consumed and for what purpose. Organizations should remember to think long and hard about what data they retain and how it is secured. If there’s not a good reason to retain data…don’t keep it!”Secuvant’s Director of Risk Services, Richard Rieben.
Organizations need to be aware of the information they collect from their users and ask themselves why they need this data and how long they are holding onto it. In the case of Pray.com, they had excessive rights to access information that was unnecessary to their operations. Users need to be conscious of what information they are allowing organizations to
access; however, for this to be effective, organizations need to be clear about what data they are storing and using with their data population. If you don’t need the data, don’t hold onto it. More importantly, organizations need to have their bases checked when assessing their cloud network. Dropping the ball and leaving just one port open could spell disaster for an organization and enable cybercriminals the access they need to infiltrate your network.
Located in Salt Lake City, Utah, Secuvant is a global leader in integrated cyber threat analytics and risk advisory services, built on a value system of client focus, integrity, accountability, execution, and teamwork. Secuvant’s mission is to provide clients with a Clear Path Forward in their pursuit of establishing an acceptable security risk posture. Secuvant’s success is built upon strict adherence to its values, a functioning world-class advisory board, the unique combination of cybersecurity expertise and industry / vertical specialization, and a team of experts that repeatedly deliver best-in-class managed and advisory cybersecurity and risk services. Secuvant understands Cyber Risk is Business Risk™ and uses methodologies and metrics aimed at minimizing business risk. Services include, but are not limited to, Security Gap and Risk Assessments, Risk Program Management, Executive and Board Cyber Advisory, Penetration Testing, Security Monitoring, Managed Detection and Response and Incident Response services. To learn more, visit www.secuvant.com.