An open Elasticsearch database belonging to a company named Covve leaked online, impacting around 23 million email addresses and other personal details.
Troy Hunt, the researcher behind the Have I Been Pwned portal, wrote a while back about a data breach he dubbed “db8151dd” after one of the unique global identifiers used inside the database. It’s a 90GB trove of personal information that has millions of entries, with personal information. The weirdest part was that nobody knew where it came from.
Now, the source of that data breach was identified as coming from Covve, which has a popular contacts app, with CRM features, business cards, and more. Covve recently acknowledged a security incident.
“Data belonging to approximately 90,000 users was compromised by a 3rd party who gained unauthorized access to a legacy system before it was decommissioned in early January,” said Covve on their blog. “This system related to the now-retired Covve web app. It appears at this stage that contact data such as name and contact details were accessed, that the data cannot be directly associated with specific users, and no user passwords were compromised.”
The biggest problem with this data breach is that it affects people who had nothing to do with the app. For example, if someone had your phone number and email address and used the Covve app, your data was leaked just the same.
And since the Covve app scraped the Internet for details on contacts people added into the app, the size of the breach becomes all the more evident. Unfortunately, users can’t do a whole lot about this problem, especially since the breach affects mostly people who have nothing to do with the app.