An iOS and Android web camera application installed by thousands users left exposed online its database containing the customer information.
The ElasticSearch database found by security researcher Justin Paine belonged to Adorcam, a web camera application, which provides a P2P connection for IP web camera brands such as Zeeporte and Umino.
According to Paine, the exposed database contained 124 million rows for the several thousand users, including their email addresses, hashed passwords, WiFi network name, web camera settings including microphone state, country geo location, web camera serial number, and potentially images captured by the web cameras.
The researcher also discovered that the leaked info included sensitive details regarding MQTT server (a common standard messaging protocol for the Internet of Things (IoT) server), such as hostname, port, password, and username.
Paine verified that the database was updating live by signing up with a new account and searching for his information in the database. The researcher contacted Adorcam over the issue and the database was secured.
If this data was to fall into the wrong hands, it could be used for very convincing social engineering attacks, phishing campaigns, or targeted attacks against users in a specific region.