Chinese app maker Sungy Mobile may have exposed the information of more than 50.5 million of its customers, according to researchers who were able to access dozens of the company's databases through a pair of IP addresses that did not require any login credentials.
Sungy, also known as GOMO, is the company behind the GO series of apps that are very popular with Chinese residents, particularly children, and also have a more limited worldwide following. Databreaches.net posted that a researcher going by the handle Flash Gordon discovered in May that he could access some of Sungy's data through an exposed Port 80 along with a second IP address, both of which were left unsecured.
A tremendous amount of data was exposed through these two entry ports. Databreach.net said 50,553,664 unique accounts, 47,415,210 unique devices, 4,379 distinct mobile numbers in account
51,426,769 distinct email addresses in accounts and 48,255,172 profiles. In addition, the account numbers of 477,521 customers using Sungy's VPN service were also vulnerable. In total 100GB of data was involved.
The types of data included range from exposed links to avatars, comments, notes and other application-based information such as users' coins or game credits, in-store purchases to exposed links to phone model information, language, country, and type of connection. A great deal of corporate data was also involved such as Sungy's deployment and development system with all end points, credentials and project information.
Some U.S. customer information was also involved including email address, username, school, gender, date of birth, and their International Mobile Subscriber Identity number. The number of people involved was not released.
Databreach.net and Flash Gordon each attempted with no success to contact Sungy via email, its web host and the Privacy Commissioner for Personal Data, Hong Kong. A further attempt to inform someone through NTT Com Asia may have yielded results as the databases were closed off after that firm was informed.
The researchers could not determine if the company has tried to, or has any intention of, informing its customers.