Privacy-focused social network True leaves user data exposed online
Privacy-focused social network True has suffered a serious data breach after a server containing private user data was left exposed online.
Launched in 2017, the company is founded on a commitment to user privacy and promises never to sell or share user data, but a security snafu appears to have seen its pledge broken.
According to security firm SpiderSilk, a configuration error meant that anyone could read and browse the database, which was not protected by a password nor any form of encryption.
The server is said to have contained information such as user email addresses, phone numbers, private messages and location data, but also account access tokens that could be used to hijack user accounts.
True data breach
A number of tests conducted by SpiderSilk showed that the data exposed online could be used to seize control of accounts and post messages to the victim’s feed, but also that True’s data retention claims may not hold water.
According to the social network, deleting an account “will immediately remove all of your content from our servers”, but a test conducted in conjunction with TechCrunch revealed that this was not the case.
Data attached to a dummy account – including private messages, posts and photos – was still accessible via the exposed database after deletion.