On October 15th I discovered a non-password protected database that contained a large number of internal records. There was a total of more than 123 million records exposed that contained a combination of test and production data. Upon further investigation I saw that there was a large collection of user data. In total there were 13 million user records that included their names, email addresses, user ID numbers in plain text. Security Discovery’s Bob Diachenko also found the same dataset on October 19th during this time before public access was closed.
It is unclear how long these records were exposed or who else may have had access to this data. It is also unclear if users were ever informed of the data breach. Fotor (Everimaging Ltd.) is based in Chengdu, Sichuan, China. According to the description on the Google play store “Fotor is an online photo editing program with 350 million users from all around the globe”. I did see geo-location logging in the user accounts from multiple countries.
What the database contained:
- This database was set to open and visible in any browser (publicly accessible) and anyone could edit, download, or even delete data without administrative credentials.
- 123,667,540 total records accessible.
- Exposed records that contain internal records that include testing and production data.
- 13 Million Users’ Names, Email Address and geo-location.
- Users could be targeted in a phishing attack from a relationship of trust.
- Database at risk for ransomware, malware, or an automated Meow bot attack.
My full summary of this discovery can be found here on Secure Thoughts