DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

OkHello is NOT OK – they’re leaking user data (UPDATE 2)

Posted on December 6, 2015 by Dissent

OkHello provides a free group video chat service. Its app is available on the App Store and on Google Play. If you’ve ever used it, your details may be in others’ hands right now.

According to their Privacy Policy, OkHello collects a lot of personal information about users, including geolocation data and information from Facebook if you use Facebook Connect to access their service.

Of concern, a lot of that personal information appears to have been inadequately secured, and at this point, DataBreaches.net does not know for how long personal details have been exposed or how many people may have downloaded them.

Earlier today, white-hat researcher Chris Vickery informed DataBreaches.net that 2,627,082 users’ account details have been exposed. No passwords or authentication are needed to view and download user details that include first and last names, password hash, Facebook IDs, phone number, email address, messages, and friends’ information. The screencaps below were taken from the database and were redacted by Chris. The second one – with the personal message – came from a table that has 8.2 million entries.

okhello_DB_screenshot

Room_message_sample

Chris says he discovered the leak because OkHello failed to secure their database on a port that is indexed by Shodan.

Not only could Chris access the database through that port, but he discovered that OkHello also has a web page that allows anyone to download the entire database backup without any login required. DataBreaches.net went to the IP address Chris provided and verified that the entire database – more than 9 GB – could be downloaded without any password.

In its privacy policy, OkHello claims to care about its users’ information security:

Keeping your information safe: OkHello cares about the security of your information, and uses commercially reasonable safeguards to preserve the integrity and security of all information collected through the Service. However, OkHello cannot ensure or warrant the security of any information you transmit to OkHello or guarantee that information on the Service may not be accessed, disclosed, altered, or destroyed.

Attempts to Notify Failed

Chris attempted to contact OkHello through their support portal yesterday, but received no response.  OkHello has no phone number on their web site and their domain registration is protected. DataBreaches.net sent an alert to [email protected] this afternoon, but has received no response as yet. DataBreaches.net also attempted to reach their external counsel through Twitter to see if they could call them, and actually called the law firm’s Los Angeles office, only to be told by the weekend receptionist that he had no way of knowing who represented them and they wouldn’t be calling anyone.

While DataBreaches.net usually does not reveal a leak until after the entity has had time to secure it, in researching this incident, DataBreaches.net discovered that the leak had  already been disclosed on Twitter by Jay Fuller, who also tried (unsuccessfully, it seems) to reach OkHello through their Twitter account.

Would this be an appropriate time to remind everyone that I have repeatedly called for sites to be required to provide a dedicated and monitored phone number or email address that can be used to alert them to security breaches?

In the meantime, if anyone knows any of the principals of OkHello and can pick up the phone and call them to tell them to secure their database, that would be nice.

Update Dec. 8: As of this morning, OkHello’s backup database is still freely available. I haven’t checked their current installation, but they haven’t responded to attempts to alert them. Tweets to the California Attorney General, OkHello’s external counsel, and FTC do not seem to have resulted in anyone contacting them to address this leak, which includes personal messages.

Update Dec. 14: OkHello’s live MongoDB database is still up and still leaking.

Update Dec. 15: See this post for what happened next.

Category: Breach IncidentsBusiness SectorExposureOf NoteU.S.

Post navigation

← Ashley Madison hack steals man’s job, wife — and mind
Tunecore Has Been Hacked, Sensitive Data Revealed, All User Passwords Invalidated →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Rewards for Justice offers $10M reward for info on RedLine developer or RedLine’s use by foreign governments
  • New evidence links long-running hacking group to Indian government
  • Zaporizhzhia Cyber ​​Police Exposes Hacker Who Caused Millions in Losses to Victims by Mining Cryptocurrency
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Google: Hackers target Salesforce accounts in data extortion attacks
  • The US Grid Attack Looming on the Horizon
  • US govt login portal could be one cyberattack away from collapse, say auditors
  • Two Men Sentenced to Prison for Aggravated Identity Theft and Computer Hacking Crimes
  • 100,000 UK taxpayer accounts hit in £47m phishing attack on HMRC
  • CISA Alert: Updated Guidance on Play Ransomware

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • How the FBI Sought a Warrant to Search Instagram of Columbia Student Protesters
  • Germany fines Vodafone $51 million for privacy, security breaches
  • Malaysia enacts data sharing rules for public sector
  • U.S. Enacts Take It Down Act
  • 23andMe Bankruptcy Judge Ponders Trump Bill’s Injunction Impact
  • Hell No: The ODNI Wants to Make it Easier for the Government to Buy Your Data Without Warrant
  • US State Dept. says silence or anonymity on social media is suspicious

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.