Boomoji app exposed 5.3 million users’ data due to misconfigured ElasticSearch server

• The unprotected databases could have allowed anyone to edit or delete the data using their web browser.
• The databases contained crucial information of both Android and iOS Boomoji users.

The popular emoji app Boomoji exposed the personal data of around 5.3 million users online after it failed to add passwords on two of its ElasticSearch databases. The unprotected databases could have allowed anyone to edit or delete the data using their web browser.

What data was exposed?

The databases contained crucial information of both Android and iOS Boomoji users. This includes their usernames, gender, country and phone type. Each record also included a unique Boomoji ID, which was connected to other data tables in the database.

One of these tables included the users’ schooling information - a feature that Boomoji enabled so as to help users connect with their friends. Another table had more than 125 million contacts, including their names and phone numbers. The unique ID contained the precise geolocation of over 375,000 users.

The databases are listed on Shodan, a search engine for exposed devices and databases and can be found with a few keywords.

Addressing the problem

Soon after the discovery of the incident, the firm removed the two unsecured databases immediately, TechCrunch reported. “These two accounts were made by us for testing purposes,” said a Boomoji spokesperson. Although Boomoji is a China-based firm, it claims that the company follows California State law for protecting its users' data, TechCrunch reported.

This the latest incident in a series that involves the exposure of data due to a misconfigured ElasticSearch databases. Previously, an unprotected ElasticSearch server leaked over 73 GB of data belonging to 57 million US citizens.