Out of the top 1.5 Million Android apps on the Play Store, 11,126 were insecure and exposed users’ PII. In total these 11 thousand apps exposed 1.43 Billion user records. This includes 5 apps with 100 Million downloads and 10 apps with 50 Million downloads.

On the black market such an exploit would be worth 200-500k USD

Nice idea, just checked it now and can confirm there was nothing suspicious in the wildcard records.

ignore the post thx <3

Feedback on my blog posts are always appreciated! :)

When manually reviewing a lot of these sites it was not identifying PII that were in non-english since the automated scanner checks the variable name for known data types (e.g phone) but that would only work for English sites.

Correct, that's why we couldn't post a list of affected sites or malicious actors would immediately abuse it :/

It seems reasonable to assume that the exposed information has already fallen into the wrong hands. Might as well post the list at this point (or at some point, at least) so that any users of those sites can become aware, no?

Shouldn't encrypting all databased records be the only sane, safe and legal solution with decryption key sent to local (to the website owner) law enforcement when site owners aren't responsive?

Not saying you should do that given the current state of the laws.

It'll now take them 2-3 weeks to get the details.

Bro woke up on the wrong side of the bed

Bro woke up with no gf :'(

Glad to hear you enjoyed it, it was a messenger called "Line"

Ah nice! This brings back memories. I think this is a very popular messenger app in SEA region?

Taiwan, Japan and Hong Kong mostly.

SEA used a mix of messaging app, where Whatsapp > Line.

We believe the gambling ring is based in Indonesia, which is uncommon to use Line, but they seem to be using it here for all of their customer support across all sites.

Not really used in Hong Kong that much anymore apart from a small subset of people (WhatsApp is king). It's also heavily used in Thailand.

They must have trained their customer support AI with a database stolen from dating sites.

Can't blame a company for trying to make their AI charismatic :D

I feel like we need more followup, so come on, dish! Where are you taking her for that first date?

That's because I wrote both of those articles, and this is the sequel to that blog post. :P

Indeed :) Same authors ... referring to each others :)

We decided to make a shared blog because we will likely have other projects we will do together, so all of us posting on our personal blogs on the same topic would be counterproductive

That's a good thing. There is nothing wrong with your approach. Glad you are sharing what you do because what you do interests many people.