INSUBCONTINENT EXCLUSIVE:
Rallyhood says it &private and secure.& But for some time, it wasn&t.
The social network designed to help groups communicate and coordinate
left one of its cloud storage buckets containing user data open and exposed
The bucket, hosted on Amazon Web Services (AWS), was not protected with a password, allowing anyone who knew the easily-guessable web
address access to a decade worth of user files.
Rallyhood boasts users from Girl Scout and Boy Scout troops, and Komen, Habitat for
Humanities, and YMCA factions
The company also hosts thousands of smaller groups, like local bands, sports teams, art clubs, and organizing committees
Many flocked to the site after Rallyhood said it would help migrate users from Yahoo Groups, after Verizon (which also owns TechCrunch) said
it would shut down the discussion forum site last year.
The bucket contained group data as far back to 2011 up to and including last month
In total, the bucket contained 4.1 terabytes of uploaded files, representing millions of users& files.
Some of the files we reviewed
contained sensitive data, like shared password lists and contracts or other permission slips and agreements
The documents also included non-disclosure agreements and other files that were not intended to be public.
Where we could identify contact
information of users whose information was exposed, TechCrunch reached out to verify the authenticity of the data.
A security researcher who
goes by the handle Timeless found the exposed bucket and informed TechCrunch, so that the bucket and its files could be secured.
When
reached, Rallyhood chief technology officer Chris Alderson initially claimed that the bucket was for &testing& and that all user data was
stored &in a highly secured bucket,& but later admitted that during a migration project, &there was a brief period when permissions were
mistakenly left open.&
It not known if Rallyhood plans to warn its users and customers of the security lapse
At the time of writing, Rallyhood has made no statement on its website or any of its social media profiles of the incident.
Stop saying,
‘We take your privacy and security seriously&
