Data of over 54mln mobile app users at risk, claims report

Posted by Alex Morrison December 20, 2022
mobile app

CloudSEK’s ‘BeVigil’ uncovered about 50 per cent of the analysed (600) apps on the Google play store, leaking API keys of three popular transactional and marketing email service providers

Three popular transactional and marketing email service providers — Mailgun, MailChimp and Sendgrid — have put data of more than 54 million mobile app users at risk, including from India, a report claimed on Monday.

People in the US have downloaded these apps the most, followed by the UK, Spain, Russia, and India, leaving over 54 million mobile app users vulnerable, according to cyber-security firm CloudSEK.

CloudSEK’s ‘BeVigil’, a security search engine for mobile apps, uncovered about 50 per cent of the analysed (600) apps on the Google play store, leaking API keys of three popular transactional and marketing email service providers; Mailgun, MailChimp, and Sendgrid.

Leaked API keys allow threat actors to perform a variety of unauthorised actions such as sending emails, deleting API keys, and modifying two-factor authentication, said security researchers.

Mailgun provides email API services enabling brands to send, validate, and receive emails through their domain at scale.

An API key leak would allow a threat actor to send emails, read emails, get simple mail transfer protocol (SMTP) credentials, get IP address and statistics, allow creating, accessing, and deleting Webhooks and retrieve mailing lists of customers and launch a phishing campaign, said the report.

Mailchimp is a transactional email service first introduced in 2001 and later launched as a paid service with an additional freemium option in 2009.

An API key leak in Mailchimp would allow a threat actor to read conversations, fetch customer information, expose email lists of multiple campaigns containing personal identifiable information (PII), authorise third-party applications connected to a MailChimp account, manipulate promo codes and start a fake campaign and send emails on behalf of the company.

In the case of SendGrid, a communication platform intended for transactional and marketing emails, an API key leak would allow a hacker to send emails, create API keys, and control IP addresses used to access accounts.

Disclaimer: The opinions expressed by our writers are their own and do not represent the views of Scommerce. The information provided on Scommerce is intended for informational purposes only. Scommerce is not liable for any financial losses incurred. Conduct your own research by contacting financial experts before making any investment decisions.

scommerce

Welcome! Get free access to EVERYTHING we publish…

Whether you are an investor, tech enthusiast, or entrepreneur we have something for you. You'll get our FREE weekly newsletter with latest news and information along with special offers. Please take time to read our privacy policy. The information you provide us will be processed in accordance with this.