The developers of make-your-own-avatar app Boomoji reportedly neglected to password-protect two of their internet-connected databases, thus publicly exposing the personal data of roughly 5.3 million users.

The wide-open databases, from Elasticsearch, stored users’ names, genders, countries and phone types all in plain text, TechCrunch reported yesterday. Moreover, the databases also contained unique user IDs, each of which was linked to additional, highly sensitive information that the user either provided or allowed the app to access. 

For instance, some IDs were linked to tables that listed the school the user attends, geolocation data, and phone book entries. Because phone book contacts were included, that means that the information of non-users were collected and exposed as well.

“Boomoji’s data leak is an example of how one breach resulting in a number of users’ data exposure is not as straightforward as it seems,” said George Wrenn, CEO and Founder at CyberSaint Security, in emailed comments. “Exposed records compromising [millions of[ contacts who might have had perhaps no knowledge of the app is just one example of an unforeseen consequence of the data leak.” 

The databases – one in the U.S. containing information on international users and one in Hong Kong reserved primarily for Chinese users – could be easily found using the Shodan search engine.

“It does not take much effort for outsiders to find unsecured databases and access sensitive information,” said Anurag Kahol, CTO, at Bitglass in emailed comments. In fact, there are now tools designed to detect abusable misconfigurations within IT assets like Elasticsearch databases. Because of these tools, and the continued carelessness of companies when it comes to cybersecurity, abusing misconfigurations has grown in popularity as an attack vector across all industries.”

TechCrunch said Boomoji removed the databases after contacting the developers, after dubiously claiming the accounts were made for testing purposes.

Boomoji’s app store description encourages would-be users to create 3D avatars, customize them with outfits, and turn them into animated stickers.

The last few months have seen a spate of data exposures involving unprotected Elasticsearch servers, including ones affecting FitMetrix, Sky Brasil, Urban Massage and Voxox.

“Boomoji’s breach joins the likes of… companies that have exposed massive amounts of user data due to leaving Elasticsearch databases unsecure,” said Stephan Chenette, co-founder and CTO at AttackIQ. “By allowing the data of global users to be exposed, Boomoji could potentially face sanctions under several international data privacy laws, such as GDPR.”