JusTalk, a popular mobile video calling and messaging app with 20 million global users, exposed a massive database of supposedly private messages to the public Internet for months. According to security researcher Anurag Sen, who discovered the open database, the messages were stored unencrypted, and the database itself was not locked behind a password.
"Rest assured your calls and messages are secured," the JusTalk website reads, "Only you and the person you communicate with can see, read, or listen to them: even the JusTalk team won't access your data!"
But, as we know, "won't access" is not the same as "can't access". And when anybody has the ability to see somebody else's private data, it opens the door for both malice and mistakes.
The open database is a logging database the company, Ningbo Jus Internet Technology, uses to keep track of app bugs and errors. It also houses hundreds of gigabytes of data and is hosted on a Huawei cloud server in China. Sen said anyone can access the data using a web browser if they have the right IP address.
Data collected from Shodan, a search engine for exposed devices and databases, shows that the company continued to use the database until it was first exposed in early January (at least).
Because the database is, essentially, a smorgasbord of every data the company collects—chat logs, video logs, granular location data, data of child users of their JusTalk Kids app, records from their JusTalk second phone number—it's complicated to put a number on affected victims of this breach. However, it is prudent to assume everyone using Ningbo Jus's products is affected.
The server was collecting and storing more than 10 million individual logs each day, including millions of messages sent over the app, including the phone numbers of the sender, the recipient and the message itself. The database also logged all placed calls, which included the caller’s and recipient’s phone numbers in each record.~ Zack Whittaker, TechCrunch
Shortly after TechCrunch published a story on JusTalk not really having end-to-end encryption, the open database was no longer accessible.
As Shodan is used by security researchers and online criminals alike, TechCrunch found evidence that someone had already accessed the database—perhaps even created copies of the data there. The outlet found an undated ransom note left by a data extortionist in the database for the company to find.
Because the database has all collected data stored in one place, it's doubtful that the company even noticed this ransom note. Ningbo Jus may not even know that it's already being extorted.
The blockchain address associated with the ransom note has not yet received any funds.