The babysitting app Sitter notified some 93,000 account holders their personal data was exposed after independent security researcher Bob Diachenko discovered an inadvertently exposed MongoDB file.
On August 13, 2018, Diachenko found patient information including encrypted passwords to the account, phone numbers, addresses, customer transaction details including partial credit card numbers, and user phonebook contacts were exposed using the public IoT search engine Shodan.
In-app chat and notification history along with who needed babysitters, locations, and what times they would be needed were also involved. It is unclear how long the information was exposed or if anyone else gained unauthorized access to the information, but those responsible took immediate action rectify the situation and notify those affected, Diachenko said.
“Sitter has already notified all of its users and partners of the temporary data breach you identified that resulted in the last week in the course of development of certain product enhancements,” Sitter said in a note to Diachenko. “The security vulnerability was immediately re-secured.”
Researchers noted the information may have been vulnerable to ransomware or theft had the data been left unnoticed much longer.