DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

No need to hack when it’s leaking, Monday edition: TeammateApp

Posted on February 24, 2025February 24, 2025 by Dissent

Another day, another leak, another inaccurate claim by an entity, and another inappropriate attack on a researcher. Buckle up.

TeammateApp is not the sort of entity that DataBreaches usually reports on. DataBreaches decided to report on a data leak they reportedly experienced because once again, a well-intended researcher appears to have been falsely accused of trying to sell services he wasn’t selling and of harassing them simply because he sent a responsible disclosure notice and then a follow-up email.

But let’s start at the beginning.

On February 15, the researcher known as @JayeLTee reached out to TeammateApp via email to alert them to a leak he had discovered. His email resulted in the leak being secured within an hour, but TeammateApp never acknowledged receipt of his notification or responded at all.

Several days later, JayeLTee emailed them again to ask if they would be notifying any regulator or clients, because if they were and if they needed him to delay publication of his report, he would delay publication to give them time to make notifications. JayeLTee explained that he routinely reports on leaks he discovers and tries to get secured.

TeammateApp’s response was ….. inappropriate, at best.   As JayeLTee reports, the firm’s CEO, Sean Banayan, replied:

This had no impact on anything or anyone and all anyone could see was basic information of [type of databased redacted by JayeLTee] database size etc.

There were few more security layers which would have made any data breach impossible anyway.

Not sure what’s your business and what the heck this Proton actually does, but if you don’t stop harassing us, I’ll get in touch with them to stop you.

Whatever you’re selling, we’re not interested in purchasing it.

Get it??

The reference to “Proton” was presumably because JayeLTee uses protonmail to send notifications. The firm’s CEO didn’t seem to know what “Proton” is and likely assumed it was JayeLTee’s employer or business. The CEO also accused JayeLTee of trying to sell…. something… even though JayeLTee had told them at the outset he is an independent researcher who volunteers his time and doesn’t sell anything.

The remainder of JayeLTee’s post provides evidence that refutes the CEO’s claim about what could be seen and what kind of information was involved. As JayeLTee notes, the “few more security layers” the CEO referenced failed to function properly or, more likely, were nonexistent, because he was able to access employee data and user data with personal information without ever being asked to login or provide any password.

TeammateApp Contacted

Having been shown a preview of JayeLTee’s post, DataBreaches emailed TeammateApp about the researcher’s findings. The email included snippets or descriptions of the data that JayeLTee had found exposed. As one example, DataBreaches quoted a subsection of the report:

employees – 23,279

This contained fields such as first and last name, company and workplace foreign keys, email, phone and mobile, date of birth and a field with additional information such as medical recommendations. There were multiple other tables related to employee data such as “employeesppes” which contained PPE (Personal protective equipment) information, mostly uniform sizes.”

DataBreaches noted that a redacted screenshot from the employees table was included in the report. DataBreaches requested an unredacted version to try to verify the personal information. JayeLTee provided the unredacted version, and DataBreaches was able to quickly confirm that there was an employee at Kaweka Health with the same name as the person in the redacted screenshot.

This site’s email to the CEO also included mention of other examples of exposed files from Kaweka Hospital and G&H Cardiovascular, and a screenshot of a redacted user entry for an “employee of a cybersecurity company https://defend.co.nz” (the latter was from the “Users” table).

Finally, DataBreaches informed the CEO that JayeLTee claimed he can still access files even after the firm locked them down. “He doesn’t explain how in his report, but it sounds like anyone who acquired certain info before you locked things down can bypass login authentication and still access certain files,” DataBreaches wrote to the CEO.

DataBreaches asked the CEO three questions:

1. Do you still maintain there was no leak or breach?

2. Do you have access logs to show what IP addresses may have accessed or acquired files without authorization?

3. Will you be notifying any regulator or people who had their personal information exposed?

DataBreaches also invited Sean Banayan to provide a statement for publication. He replied promptly to this site’s email:

We will further investigate this matter internally and do not wish to entertain this matter with your website.

At this point, then, TeammateApp has not confirmed the data leak that seems pretty evident.

Once again, an entity shot the messenger who was trying to alert them to their security incident. This time, an obviously angry messenger shot back, as JayeLTee’s concluding remarks demonstrate.

You can read JayeLTee’s entire post on his substack. He has also posted about it on infosec.exchange.

Category: Business SectorCommentaries and AnalysesExposure

Post navigation

← Beverly Hills Plastic Surgeon Jaime Schwartz M.D. Sued for Not Timely Notifying Patients of Two Hacks
UK: More details emerge about ransomware attack on HCRG by Medusa →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Masimo Manufacturing Facilities Hit by Cyberattack
  • Education giant Pearson hit by cyberattack exposing customer data
  • Star Health hacker claims sending bullets, threats to top executives: Reports
  • Nova Scotia Power hit by cyberattack, critical infrastructure targeted, no outages reported
  • Georgia hospital defeats data-tracking lawsuit
  • 60K BTC Wallets Tied to LockBit Ransomware Gang Leaked
  • UK: Legal Aid Agency hit by cyber security incident
  • Public notice for individuals affected by an information security breach in the Social Services, Health Care and Rescue Services Division of Helsinki
  • PowerSchool paid a hacker’s extortion demand, but now school district clients are being extorted anyway (3)
  • Defending Against UNC3944: Cybercrime Hardening Guidance from the Frontlines

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • The App Store Freedom Act Compromises User Privacy To Punish Big Tech
  • Florida bill requiring encryption backdoors for social media accounts has failed
  • Apple Siri Eavesdropping Payout Deadline Confirmed—How To Make A Claim
  • Privacy matters to Canadians – Privacy Commissioner of Canada marks Privacy Awareness Week with release of latest survey results
  • Missouri Clinic Must Give State AG Minor Trans Care Information
  • Georgia hospital defeats data-tracking lawsuit
  • No Postal Service Data Sharing to Deport Immigrants

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.