The unsecured database was discovered by Dan Ehrlich, from the USbased computer security consulting firm Twelve Security. Peekaboo Moments appears to be run by a Chinese based company, and the Singapore-based Alibaba Cloud hosted the server in question. According to the Peekaboo Moments Google app profile page, the company states, "We completely understand how these moments are important to you," and "Data privacy and security come as our priority. Every baby's photos, audios & videos or diaries will be stored in secured space. Only families and friends can have access to baby's moments at your control." At this point, it is not clear how long the Elasticsearch server has been exposed or who has accessed the data.
The Peekaboo Moments app has been downloading over a million times, according to the Google app page, and still boasts a review rating of 4.6 out of 5 by over 69,000 reviews. The Information Security Media Group (ISMG) has reached out multiple times to Peekaboo Moments CEO Jason Liu, based in San-Francisco for information on the breach with no reply. ISMG also reached out to Ehrlich for comment, and he stated, "I've never seen a server so blatantly open," and that, "Everything about the server, the company's website and the iOS/Android app was both bizarrely done and grossly insecure."
The data breach also exposed Facebook API keys used to upload photos and videos from the popular app to Peekaboo Moments user accounts. The API keys allow attackers to gain access to content on Peekaboo user’s Facebook pages. Facebook was notified Wednesday of the breach, but it has not responded yet, nor is it known if they have revoked the developers compromised API keys. Founder of the data breach notification service Have I Been Pwned, Troy Hunt, explains that the data breach itself is relatively standard. But what is disturbing is the complete unresponsiveness from the developers. "Here we have an organization trusted by a huge number of people to protect their precious memories, and they won't even respond to reports of a very serious data security incident," Hunt says. "That's very alarming."