Researchers have recently stumbled upon an unsecure database belonging to Fleek, an X-rated social media app Fleek that ceased operations in 2019. The app was apparently popular on college campuses, offering an unfiltered alternative to all-too-familiar Snapchat. Users could upload unfiltered and unmoderated content including nudity, drugs and alcohol use, among others.
According to vpnMentor researchers, the developers of Fleek failed to secure or delete user information before decommissioning the app, exposing more than 300,000 explicit user photos.
“Like Snapchat, any images uploaded to Fleek were meant to be automatically deleted after a short time,” the research team explained. “However, it appears that Fleek’s developers were storing some images uploaded to the app by users – and continued to store them even after they shut the app down.”
The data was discovered on a misconfigured Amazon Web Services S3 bucket on October 13 last year. Lacking username and password authentication, the unsecure bucket provided researchers with access to nearly three years worth of records, primarily linked to US-based users.
“Most of the data in the S3 bucket consisted of images uploaded by users, including their account avatars,” the report said. “During our investigation, we reviewed many images of users engaging in embarrassing and illegal activities and sharing sexually explicit photos of themselves.”
It appears that the exposed records also included chat bot data, leading the researchers to believe that Fleek was attempting to capitalize on the large number of male users by promoting a paid chat room.
To tempt users into entering the chat rooms, the developers seem to have set up fake bot accounts using photos of young women scraped from the internet.
“The only way users could view the accounts sending them messages – and ensure they weren’t fake – was to pay Fleek a small fee, according to the scripts we found in the bucket,” researchers noted. “Unfortunately, most of the accounts were still fake. In fact, it appears they’d been created by Fleek to trick users.”
The researchers contacted the owners of the app to notify them about the data leak, but received no response. Fortunately, they were able to contact the cloud storage provider, who immediately secured the bucket.
Even if the app is no longer available, the leak could have far-reaching consequences for former users. If the exposed data fell into the hands of cybercriminals, the information could be used in blackmail or extortion schemes.
This is why users of similar apps should think twice before sharing compromising photos or information, regardless of any promises for complete secrecy or discretion.
Stop guessing what the internet knows about you. Find out with Bitdefender’s Digital Identity Protection.