Messaging app Tokee may have leaked 1.2 million user profiles – experts say exposed personal data ‘presents significant privacy, security and regulatory risks’

Cybernews found that Tokee’s unprotected MongoDB exposed ~1.2 million users’ data
Leaks include names, phone numbers, avatars, device tokens, IDs, activity logs, and account status; chat logs were encrypted
Deucetek secured the database after publication; no signs of malicious access, but users warned of phishing risks

A messaging app called Tokee kept an unprotected database of tons of sensitive information, exposing over a million customers to anyone who knew where to look.

Security researchers from Cyber news discovered a non-password-protected MongoDB instance that contained user display names, phone numbers stored as numeric values, profile avatars, device tokens used for push notifications, user IDs, account creation and update timestamps, “last seen” activity indicators, and account status flags (for example, premium or non-premium).

A deeper investigation revealed that the database belonged to a company called Deucetek, a US-based software company that developed the Tokee messaging app.

Locks the archives

Tokee is not as popular as WhatsApp or Telegram, but it still has a solid user base. On the Android platform alone, it has more than a million downloads (Apple’s app store does not show download numbers) – but Cyber news says the leak exposed about 1.2 million users, “which likely represents the vast majority of the app’s user base,” it said.

Chat logs were also stored in the same database, but these were encrypted and as such are not at immediate risk. Should someone come up with enough computing power, the encryption could be cracked, but right now it’s not exactly cost-effective. However, there is plenty of unencrypted information in the database that can cause serious damage:

“Although user chat messages stored in the same infrastructure appear to be encrypted using password-based OpenSSL encryption, the exposed personal data alone poses significant privacy, security and regulatory risks,” the Cybernews team said.

After responsible disclosure, Deucetek locked down the database. The researchers said there was no evidence that the data was discovered by malicious actors in the past, and the data does not appear to have reached the dark web. Therefore, users are advised to be wary of incoming messages, especially those claiming to be from Tokee or Deucetek.