/ SECURITY WATCH

Topps’ Mobile Apps User Accounts Leaked Online

Popular articles

21 / 06 / 2016

Foul Ball

I have some interesting news to announce today, but first I want to share what appears to be my first example of a “repeat leak.”

Related Articles: Read the story of exposed 154 million US voter records.

Most adult men in the US will recognize the Topps brand name. They are the baseball card company that we all know and love. Unfortunately, I have reason to believe the Topps phone apps team may have some data security issues to address, and I can’t get a response out of Topps.

Bunt, Huddle, and Kick are three of Topps’ mobile apps that give fans the opportunity to engage each other on the go. Those same fans may be alarmed to learn that, back in early December of 2015, I stumbled upon three separate, publicly accessible databases containing what I believe to be many hundreds of thousands of user account details for these apps (a different database for each of the three), along with other data tables apparently necessary for the app servers to function.

The good news is that those three databases were secured a few days after I discovered them, which was faster than I could get around to sending notification to Topps. Thinking that was the end of it, I decided to forget about the situation and move onto other things. Little did I know, about two weeks ago, a similarly exposed and publically accessible database would appear (with all three apps’ data together on this one server).

There has been plenty of opportunity to notify Topps of the apparent leak this time around. In fact, I’ve sent emails to three different Topps support addresses:

Hello Topps,

I am a security researcher that occasionally comes across publicly exposed databases. Unfortunately it appears that I may have come across one belonging to you and containing a large amount of sensitive user account information. This looks like it involves data from Topps apps such as Huddle, Bunt, and Kick.

[SERVER DETAILS REDACTED]

[…] As I will most likely publicly disclose word of the incident (but not the data itself), it is only fair to let you know that any response, or lack of response, may be included in that reporting.

-Chris Vickery

The only response has been one automated message:

Your request (#172563) has been received and will be reviewed by the Topps BUNT Team […]

That’s all I’ve gotten back from Topps in over a week. At this point, I can’t definitively assign any fault to Topps regarding the apparent data leakage. After all, they have not confirmed or denied anything yet. Maybe it’s not their data after all, but that would really surprise me. Nevertheless, I can’t in good conscience watch this data continue to leak without at least trying to get a warning out.

The Interesting Announcement:

As much as it pains me to say this-- I’ve found another exposed US voter profile database. This one has 154 million entries. Stay tuned for details. You’ll get all the inside info as soon as the details can be safely shared.

***

Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Research Center. 

Do you have security tips or suggestions? Contact: security@kromtech.com