Messaging app Tokee may have leaked 1.2 million user profiles — experts say exposed personal data 'presents significant privacy, security, and regulatory risks'

News
By published

Chats were exposed, too, but in an encrypted format

Data leak
(Image credit: Shutterstock)
  • Cybernews found Tokee’s unprotected MongoDB exposing ~1.2M users’ data
  • Leak included names, phone numbers, avatars, device tokens, IDs, activity logs, and account status; chat logs were encrypted
  • Deucetek secured the database after disclosure; no evidence of malicious access, but users warned of phishing risks

A messaging app called Tokee kept an unprotected database with plenty of sensitive information, exposing over a million customers to whoever knew where to look.

Security researchers from Cybernews discovered a non-password-protected MongoDB instance which contained user display names, phone numbers stored as numeric values, profile avatars, device tokens used for push notifications, user IDs, timestamps for account creation and update, “last seen” activity indicators, and account status flags (for example, premium or non-premium).

A deeper investigation determined the database belonged to a company called Deucetek, a US-based software firm developing the Tokee messaging app.

Latest Videos From

Locking the archives

Tokee isn’t as popular as WhatsApp, or Telegram, but it still has a solid user base. On the Android platform alone it has more than a million downloads (Apple’s app store does not display download numbers) - but Cybernews says that the leak exposed around 1.2 million users, “which likely represents the vast majority of the app’s user base”, it said.

Chat logs were also stored in the same database, but these were encrypted and as such are not at immediate risk. Should someone come along with enough computing power, the encryption could be cracked, but right now it’s not exactly cost-effective. Still, there is plenty of non-encrypted information in the database to cause serious harm:

“Although user chat messages stored in the same infrastructure appear to be encrypted using password-based OpenSSL encryption, the exposed personal data alone presents significant privacy, security, and regulatory risks,” the Cybernews team said.

Following responsible disclosure, Deucetek locked the database down. The researchers said there was no evidence that the data was discovered by malicious actors in the past, and the data appears not to have made it into the dark web. Therefore, users are advised to be careful with incoming messages, especially those claiming to come from Tokee, or Deucetek.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.