Five misconfigured Amazon Web Services (AWS) S3 buckets revealing private data of Key Ring users were discovered by vpnMentor researchers in January.

Like many similar apps, Key Ring lets users store digital copies of their loyalty cards, create a shopping list, receive weekly deals, and benefit from new loyalty programs. Some users, however, use the app to upload their personal ID and credit cards to avoid digging through their wallets.

What happened?

Instead of setting the S3 buckets storing user files to “private,” Key Ring developers misconfigured the buckets, allowing 44 million images to be accessed by any individual with a browser.

“Our team was able to access this database because it was completely unsecured and unencrypted. We reached out to Key Ring, not only to let them know about the vulnerability but also to suggest ways in which they could make their system secure,” said the researchers.

The first misconfigured bucket exposed a database that included scans of retail club and loyalty card memberships, government IDs, gift cards, full credit card details (including CVV numbers), medical insurance cards, and even medical marijuana IDs.

The data leak also showed CVS files containing membership detail lists of prominent North American retailers such as Footlocker, Matte and Walmart that exposed additional personal identifiable information for customers, including full names, email addresses, ZIP codes, membership ID numbers and dates of birth.

The remaining four buckets contained additional sensitive information about the user, such as home addresses, device type, IP address and encrypted passwords.

“Every file we viewed could also be downloaded and stored offline, making them completely untraceable. Criminals could then target people over and over again, for many years to come. Alternatively, they could sell the data on the dark web to criminals around the world,” the researchers said.

What now?

After receiving notice from researchers that the app’s security was compromised, Key Ring fixed the issues and secured their servers on February 20.

It remains unclear whether bad actors also discovered and accessed the database, or if they scraped any personal information of customers. However, it’s best to be on the safe side and take measures.

If you are a Key Ring user, monitor your credit card report for any suspicious activity. It’s also a good idea to pay attention to your Inbox for any phishing emails, and install a local security solution on your devices.

Since the app developers have yet to release a statement, you can also contact them for additional information.