Privacy and data exposure incidents across consumer apps, software supply chains, and misconfigured servers
Multiple disclosures highlighted ongoing data exposure risks driven by misconfiguration and weak controls. Cybernews researchers reported that three photo-identification mobile apps exposed data for ~152,000 users due to misconfigured Firebase databases lacking authentication, leaking emails, usernames, profile photos, and GPS coordinates; evidence in the exposed data suggested automated scanning and prior access by attackers. Separately, a large-scale internet study found nearly 5 million public web servers with accessible .git directories, including more than 250,000 instances exposing .git/config, which can contain deployment credentials and enable source-code reconstruction, secret theft, and follow-on compromise.
In parallel, software supply-chain abuse targeted the dYdX ecosystem via malicious packages on npm and PyPI that stole wallet seed phrases and other credentials; one PyPI package also reportedly deployed a remote access trojan enabling code execution and theft of API credentials, SSH keys, source code, and other sensitive files, with potential for persistence and lateral movement. Separately from these incident reports, Google announced privacy-focused search features aimed at faster removal of non-consensual explicit imagery (including deepfakes) and expanded monitoring via Results about you to help users detect and request removal of exposed government ID numbers—positioned as a protective measure rather than a breach disclosure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Researchers uncover photo ID apps leaking 152,000 users' data
Cybernews researchers found that three photo-based identifier apps exposed sensitive user data through misconfigured Firebase databases lacking authentication. The leak affected about 152,000 users and included emails, usernames, profile photos, and GPS coordinates, with signs of prior unauthorized access observed in the databases.
Malicious npm and PyPI packages steal dYdX-related credentials
Socket researchers identified malicious versions of the @dydxprotocol/v4-client-js npm package and the dydx-v4-client PyPI package that targeted dYdX environments. The packages were reported to exfiltrate seed phrases and device fingerprints, while the PyPI package also deployed a remote access trojan capable of stealing API credentials, SSH keys, and source code.
Mysterium VPN study finds millions of exposed .git directories
A study conducted by Mysterium VPN identified about 4.96 million public IP addresses exposing Git repository metadata through misconfigured, publicly accessible .git directories. Researchers also found more than 250,000 cases where .git/config files were accessible, potentially exposing active deployment credentials.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Photo identification apps leak sensitive data of 152,000 users | SC Media
scworld.com
Open sourceCryptowallet credential-stealing dYdX packages identified | SC Media
scworld.com
Open sourceMillions of servers expose Git metadata, thousands leak credentials | SC Media
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Large-Scale Data Exposures Driven by Misconfigured Cloud Datastores
Cybernews researchers reported multiple **data exposures caused by misconfigured back-end services**, including consumer mobile apps and a large unprotected database. Three widely downloaded Android AI photo identification apps—*Insect Identifier by Photo Cam*, *Dog Breed Identifier Photo Cam*, and *Spider Identifier App by Photo*—reportedly leaked more than **150,000** users’ data via a **Firebase misconfiguration** with inadequate authentication/access controls. Exposed data included email addresses, usernames, profile photos, notification tokens, and **GPS coordinates**; while passwords were not found, researchers noted the location data could enable stalking, doxxing, and targeted scams, and observed indications that automated bots had already discovered the exposed databases prior to the investigation. The apps were attributed to publisher **MobilMinds** (linked to **OZI Technologies**), and the developers reportedly did not respond to requests for comment. Separately, Cybernews identified an **unprotected Elasticsearch cluster** exposing approximately **8.7 billion records** associated with China, including names, birthdates, home addresses, national ID numbers, social media identifiers, usernames, and other account/platform details; the dataset also reportedly contained **plaintext credentials** and corporate/business records, suggesting long-term aggregation. The database’s ownership was not confirmed, but it was subsequently secured; researchers characterized the exposure as a systemic privacy risk potentially affecting hundreds of millions of individuals. Two additional items in the set describe individual bug-hunting writeups (e.g., bypassing mobile controls and abusing password reset/IDOR-style issues) but do not provide verifiable linkage to the specific Firebase/Elasticsearch exposures described above.
Mar 21, 2026
Multiple Consumer Data Exposures: IDMerit Database Leak, youX Intrusion, and Substack User Data Access
Cybersecurity researchers reported a major exposure at **IDMerit**, an AI-driven identity verification provider, after discovering an unsecured, internet-accessible **MongoDB** instance containing **over 3 billion records** (over 1TB). Exposed data reportedly included full names, addresses, dates of birth, national ID numbers, phone numbers, and email addresses; researchers estimated roughly **~1 billion** records contained sensitive data (with duplicates likely inflating the total). The dataset was described as global in scope, affecting individuals across **26 countries**, with large volumes attributed to the **US, Mexico, and the Philippines**, creating downstream risk for **identity fraud, account takeover, phishing, and SIM-swap** activity. Separately, Australian finance technology platform **youX** confirmed an **unauthorized third-party access** incident, after which a hacker claimed theft of data tied to **444,528** Australian borrowers and additional loan-application and identity data (including driver’s licence numbers, addresses, and credit/banking-related information), plus customer/staff details associated with broker organizations. **Substack** also confirmed unauthorized access to **limited user data** (including email addresses, phone numbers, and internal account metadata) that occurred in **October 2025** but was only identified on **Feb. 3, 2026**; Substack stated **passwords and payment card/financial data were not accessed**, but the extended detection gap raised concerns about monitoring and dwell time.
Mar 21, 2026
Security exposures in consumer and mobile apps: robot vacuum account takeover and widespread mental-health app flaws
A security flaw in **DJI Romo** robot vacuums allowed unauthorized access to thousands of devices after a user reverse-engineered the device-to-cloud protocol to build a custom controller app. By obtaining the private token for their own vacuum, the researcher reported they could access backend servers across regions and inadvertently gained control of roughly **6,700** vacuums, with potential access to **floor plans**, **live camera/microphone feeds**, and remote control functions; DJI issued server-side/firmware updates that required no user action, though the researcher reported at least two issues remained (including video streaming without a PIN and another undisclosed high-severity problem). Separately, mobile security researchers reported that popular **Android mental health apps** (about **14.7M installs** across ten apps) contained **1,575** vulnerabilities—mostly low/medium severity but including **54 high-severity** findings—creating risk of exposure of sensitive therapy data via issues such as credential interception, notification spoofing, HTML injection, and user location leakage. Optimizely also confirmed a **data breach** following a **vishing (voice-phishing)** attack that provided attackers access to some internal systems and resulted in theft of **basic business contact information** from internal business systems/CRM and limited back-office documents; the company said attackers could not escalate privileges, install software, or establish backdoors, and it reported no evidence of access to sensitive customer data beyond contact details. While the Optimizely incident is distinct from the consumer-device and mobile-app vulnerability disclosures, it reinforces the operational risk of **social engineering** and the likelihood of follow-on phishing using stolen contact data.
Mar 21, 2026