Privacy-focused social network True has suffered a serious data breach after a server containing private user data was left exposed online.
Launched in 2017, the company is founded on a commitment to user privacy and promises never to sell or share user data, but a security snafu appears to have seen its pledge broken.
According to security firm SpiderSilk, a configuration error meant that anyone could read and browse the database, which was not protected by a password nor any form of encryption.
The server is said to have contained information such as user email addresses, phone numbers, private messages and location data, but also account access tokens that could be used to hijack user accounts.
True data breach
A number of tests conducted by SpiderSilk showed that the data exposed online could be used to seize control of accounts and post messages to the victim’s feed, but also that True’s data retention claims may not hold water.
According to the social network, deleting an account “will immediately remove all of your content from our servers”, but a test conducted in conjunction with TechCrunch revealed that this was not the case.
Data attached to a dummy account – including private messages, posts and photos – was still accessible via the exposed database after deletion.
Mossab Hussein, CSO at SpiderSilk, was inclined to give the company the benefit of the doubt; security mishaps and data retention errors of this kind are commonplace – and often inadvertent.
“This is another example of how mistakes can happen at any organization, even those that are privacy centric,” he said.
“It highlights the importance of not only building secure applications and websites, but also ensuring that proper data security measures are embedded within their internal procedures.”
True CEO Bret Cox has since acknowledged the incident and the offending server has been taken down, but the firm has not yet published an official statement.