Consumer and IoT privacy exposures from insecure device data handling and wireless identifiers
Multiple disclosures highlighted privacy and safety risks stemming from insecure data handling in connected devices and services. A server-side storage weakness in DJI Romo robot vacuums allowed a researcher to obtain access tokens for more than 6,700 other vacuums and view sensitive user data such as home floor plans, live video feeds, and microphone input; reporting indicated some issues were patched, but residual risk remained (e.g., the ability to stream video without a security PIN). Separately, the game Dungeon Crusher exposed user information after a misconfigured Elasticsearch instance leaked 24.5 million in-game chat records and purchase-related data, including IP addresses, email addresses, and partial payment card details, creating downstream risk for fraud and targeted phishing.
Academic research also demonstrated how everyday systems can leak exploitable signals or be manipulated in the physical world. UC Irvine researchers presented FlyTrap, a physical-world attack against autonomous target-tracking drones in which AI-generated umbrella patterns can cause drones to approach an attacker closely enough to be captured or crashed, raising concerns for deployments in surveillance and security contexts. IMDEA Networks and partners showed that Tire Pressure Monitoring System (TPMS) sensors broadcast a fixed unique ID in cleartext radio signals, enabling low-cost receiver networks to track vehicles over time without line-of-sight, based on signals collected from 20,000+ vehicles during a multi-week study.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
DJI issues updates for Romo vacuum server-side exposure
DJI released updates that addressed some of the robot vacuum security issues after the exposure was identified. However, reporting indicated some weaknesses remained, including the ability to stream video without a security PIN.
Researcher gains unauthorized access to thousands of DJI Romo vacuums
While reverse-engineering his own DJI Romo robot vacuum, hobbyist researcher Sammy Azdoufal discovered he could access private tokens for more than 6,700 devices across the US, Europe, and China. The server-side exposure enabled access to sensitive data such as home floor plans, live video feeds, and microphone input.
Dungeon Crusher data exposure is secured after researcher notification
After Cybernews contacted the company, the exposed Dungeon Crusher database was reportedly secured. No public comment from the company was reported.
Cybernews finds exposed Dungeon Crusher Elasticsearch database
Cybernews researchers discovered a misconfigured Elasticsearch instance exposing Dungeon Crusher player data, including 24.5 million in-game chat records and purchase-related information. The leaked records included IP addresses, partial payment card numbers, email addresses, location data, and transaction metadata.
FlyTrap drone attack research presented at NDSS 2026
The UC Irvine team announced it would present its FlyTrap research at NDSS 2026 in San Diego, with a preprint also made available on arXiv. The work highlighted risks to law enforcement, border security, surveillance, and personal privacy from vision-based drone tracking weaknesses.
TPMS tracking research accepted for presentation at IEEE WONS 2026
The paper "Can't Hide Your Stride: Inferring Car Movement Patterns from Passive TPMS Measurements" was accepted for publication at IEEE WONS 2026. The work warned that current vehicle cybersecurity rules do not specifically address TPMS security and called for encryption and authentication protections.
UC Irvine researchers disclose FlyTrap drone-tracking vulnerability to DJI and HoverAir
UC Irvine researchers reported a critical flaw in camera-based autonomous target-tracking drones that lets an attacker use a specially patterned umbrella to manipulate a drone into moving closer. They disclosed the issue to DJI and HoverAir after demonstrating the FlyTrap technique against DJI Mini 4 Pro, DJI Neo, and HoverAir X1 drones.
Researchers collect TPMS broadcasts from over 20,000 vehicles in 10-week study
Researchers at IMDEA Networks Institute and partners deployed low-cost radio receivers near roads and parking areas for ten weeks, capturing more than six million unencrypted TPMS messages from over 20,000 vehicles. The study showed that fixed tire-sensor identifiers can be used to associate sensors with individual cars and infer movement patterns.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
DJI robot vacuums expose sensitive data due to server vulnerability | brief | SC Media
scworld.com
Open sourceUnsecured Elasticsearch database leaks Dungeon Crusher players’ purchase data | brief | SC Media
scworld.com
Open sourceResearchers expose critical security vulnerability in autonomous drones
techxplore.com
Open sourceYour car's tire sensors could be used to track you
techxplore.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Security exposures in consumer and mobile apps: robot vacuum account takeover and widespread mental-health app flaws
A security flaw in **DJI Romo** robot vacuums allowed unauthorized access to thousands of devices after a user reverse-engineered the device-to-cloud protocol to build a custom controller app. By obtaining the private token for their own vacuum, the researcher reported they could access backend servers across regions and inadvertently gained control of roughly **6,700** vacuums, with potential access to **floor plans**, **live camera/microphone feeds**, and remote control functions; DJI issued server-side/firmware updates that required no user action, though the researcher reported at least two issues remained (including video streaming without a PIN and another undisclosed high-severity problem). Separately, mobile security researchers reported that popular **Android mental health apps** (about **14.7M installs** across ten apps) contained **1,575** vulnerabilities—mostly low/medium severity but including **54 high-severity** findings—creating risk of exposure of sensitive therapy data via issues such as credential interception, notification spoofing, HTML injection, and user location leakage. Optimizely also confirmed a **data breach** following a **vishing (voice-phishing)** attack that provided attackers access to some internal systems and resulted in theft of **basic business contact information** from internal business systems/CRM and limited back-office documents; the company said attackers could not escalate privileges, install software, or establish backdoors, and it reported no evidence of access to sensitive customer data beyond contact details. While the Optimizely incident is distinct from the consumer-device and mobile-app vulnerability disclosures, it reinforces the operational risk of **social engineering** and the likelihood of follow-on phishing using stolen contact data.
Mar 21, 2026
Privacy and data exposure incidents across consumer apps, software supply chains, and misconfigured servers
Multiple disclosures highlighted ongoing **data exposure risks** driven by misconfiguration and weak controls. Cybernews researchers reported that three photo-identification mobile apps exposed data for ~152,000 users due to **misconfigured Firebase** databases lacking authentication, leaking emails, usernames, profile photos, and **GPS coordinates**; evidence in the exposed data suggested automated scanning and prior access by attackers. Separately, a large-scale internet study found nearly **5 million** public web servers with accessible `.git` directories, including more than **250,000** instances exposing `.git/config`, which can contain deployment credentials and enable source-code reconstruction, secret theft, and follow-on compromise. In parallel, **software supply-chain abuse** targeted the dYdX ecosystem via malicious packages on **npm** and **PyPI** that stole wallet seed phrases and other credentials; one PyPI package also reportedly deployed a **remote access trojan** enabling code execution and theft of API credentials, SSH keys, source code, and other sensitive files, with potential for persistence and lateral movement. Separately from these incident reports, Google announced privacy-focused search features aimed at faster removal of **non-consensual explicit imagery** (including deepfakes) and expanded monitoring via *Results about you* to help users detect and request removal of exposed government ID numbers—positioned as a protective measure rather than a breach disclosure.
Mar 21, 2026
Multiple Misconfiguration and Access-Control Flaws Expose AI and SaaS Platforms to Data Theft and Account Takeover
Security researchers reported a **critical Moltbook** exposure caused by an unauthenticated database/API access issue that allowed enumeration of agent records (e.g., `GET /api/agents/{id}`) and leakage of **email addresses, JWT `login_token`s, and third-party `api_key`s**, enabling agent hijacking and downstream abuse of connected services. Separately, **Cal.com Cloud** was found vulnerable to a chained set of broken access controls and signup/invite-token logic flaws that enabled **complete account takeover** and access to sensitive booking data (attendee details, emails, and booking histories) at scale, including organizational accounts. In parallel, SentinelLabs documented that roughly **175,000 internet-exposed Ollama** instances were reachable due to common deployment misconfiguration (binding to `0.0.0.0`/public interfaces), creating conditions for **arbitrary code execution** and access to external resources—especially where tool-calling features were enabled. A distinct IoT case study described **Molekule** air purifiers exposing fleet-wide telemetry because an **AWS Cognito Identity Pool** permitted unauthenticated access to **AWS IoT Core MQTT** subscriptions, leaking device shadow data (e.g., Wi‑Fi SSIDs, MAC addresses, device names, sensor readings) for ~100,000 devices; the disclosed policy reportedly allowed read/subscribe access but not device control without per-device certificates.
Mar 21, 2026