An unfortunate update from Leetchi, the French online kitty site, exposed for a few days some personal information about the creators of the solidarity piggy bank.
–
Cybersecurity is definitely a complex area. The Leetchi kitty service recently realized this, a security breach that exposed the personal data of all the kettle creators between April 16 and 20, 2020. The accounts concerned were alerted by the French company.
In an email, the firm explains that“A technical error has escaped [sa] vigilance and resulted in loss of confidentiality [des] personal data”. More specifically, it is a flaw in the source code that would have left visible a good package of information. The names, first names, email addresses, dates of birth and GPS coordinates were available in the source code of the prize pools. No banking information, identity document or password has been disclosed, would like to specify Leetchi. “No expense in the pot related to fraudulent use of our users’ data has been successful”, also indicates the company.
Corrected since April 20, 2020, the flaw was due to “Adding a new feature [qui] coincides with a change in page rendering technology ”. For four days, it was enough to consult the source code to find out everything about the person behind a kitty. The company wants to be reassuring: “The pools on Leetchi are mostly private pools for which the visitor must have a link previously shared by the creator”. Without a link, there is no easy way to access the source code, and therefore personal information.
Bread blessed for phishing
Asked about the extent of the flaw, the company did not give more information. Ditto on the collection of GPS data, which is however a very sensitive point. In fact, it is not written anywhere in the privacy policy that the GPS coordinates of the platform users are collected. Only the IP address could technically be used to locate a user, but difficult to qualify this as “GPS coordinates”.
–
In the wrong hands, all of this information could be dangerous. With an email address, a date of birth, a first and last name, it is already possible to carry out quite advanced phishing campaigns. Add to that the GPS coordinates and the attack is even more convincing.
The Cnil has been notified of the situation, as required by the GDPR, and Internet users wishing to assert their right of withdrawal can contact Leetchi at the address [email protected].
–
