10 million personal information leaked from large Christian community Frey.com

Online Christian content service and community… Cloud DB is exposed on the Internet and a list of recommended acquaintances is also exposed People who did not subscribe to the service.

Monday, November 23, 2020, 07:28 GMT

Personal information of 10 million people was leaked from Pray.com, an online site for Christians. The website, which offers a subscription-based service, costs between $50 and $120 and offers Christian content consisting of video and audio. It contains many famous preachers’ sermons as well as celebrity messages. Play.com has been downloaded more than 1 million times on the Google Play Store and is ranked 24th in the Lifestyle App category on the Apple App Store.

However, vpnMentor, a security company, found that several clouds operated by Frey.com were exposed to the Internet. The AWS S3 buckets were connected to the Internet without an authentication device, and a total of 1.9 million files were stored. The total capacity was 262GB. Most of them contained inside information of Frey.com, but more than 80,000 files containing personal identification information were found in one bucket. Ten million people are involved here, and it was analyzed that some of them belong to non-Fray.com users.

According to vpn mentor, profile photos and avatar images were also exposed this time, but there were also minors. In addition, analysis of this bucket revealed that the churches using Frey.com also included the CSV files needed to communicate with members through the Frey.com community. It was a database listing members’ lists, phone numbers, addresses, e-mail addresses, and marital status.

Members can also send donations to the church of their choice through Frey.com, and all of these records were stored in the exposed database. It is said that it was recorded in detail who gave and how much to which church. Even the donor’s personal identification information was attached. The circumstances in which these records were passed to the churches have not yet emerged. The vpn mentor warned that it could be a source of data to help them understand the financial status of app users and churches.

The deadliest thing is that the exposed database contains a lot of user contact information. During the process of signing up for Play.com, there is an option to recommend to a friend, and if you respond, the entire subscriber’s contact information will be uploaded through the app. This information was exposed this time. In many cases, the name and phone number, as well as an email address and residential address were added. There were even some login credentials.

These people are acquaintances that users want to recommend, so they are not subscribed to Frey.com. “The people stored in the address book of Frey.com users were also leaked. Until now, Frey.com seems to have stored about 10 million personal information. Even without the direct permission of the parties. That’s why I can’t imagine that even if this happened, my information would have been leaked.”

About 80,000 of the exposed files were set as secrets. In other words, only those allowed by the database administrator could read. However, if the information stored in these files is safe, it is said that it is not. The same files were in another Amazon bucket connected to the Internet. In this case, reading was possible. Mentor vpn explained, “This is a common mistake made by users who are not familiar with the cloud.”

The vpn mentor concluded, “When looking at various settings and cloud conditions, it seems that Frey.com is not indifferent to security itself, but does not properly understand the public cloud called AWS.” Nevertheless, he added, “If you want to use the cloud, you must understand the contents related to the setting now,” he added.

“S3 buckets exposed to the Internet without any protection are now very common. There are close to 200 cases of information leakage in 2018 and 2019 alone that occurred through cloud configuration errors. 16% of them come from the S3 bucket ecosystem. Attackers understand this well, and they exploit it well. In other words,’I didn’t know’ is not a matter of forgiveness. If you want to use the cloud, you must learn how to set it up properly through these examples.”

The database in question was found on October 6th. The vpn mentor immediately informed the facts to Fray.com, but could not receive a reply. I contacted Amazon countless times, and immediately the sensitive files disappeared from the bucket. It was on November 17th that these measures were taken. The period in which the database was exposed on the Internet is not yet known.

Summary of 3 lines

  1. User personal information leaked from Frey.com, a large Christian community.
  2. The number of victims is expected to be around 10 million, but most of them are not registered.
  3. It seems that it is not an ignorance of security, but rather an incident due to inexperience in using the cloud.