The ‘Key Ring’ Virtual Wallet App Exposed Private Data of 14 Million Users

Written by Bill Toulas
Last updated September 17, 2021

Researchers N. Rotem and R. Locar have discovered a total of four unprotected AWS (Amazon Web Services) S3 buckets containing highly sensitive user data of the Key Ring app. This app aims to help people shop without having to carry loyalty cards or shopping lists and to enjoy rewards and special discount offers right on the platform. Its affiliations with stores like Walmart, Target, CVS, Walgreens, Kohl’s, and many more, brought millions of downloads. Unfortunately for those users, the latest security incident exposed sensitive data of 14 million people, from January until February 2020.

The data contained in the buckets concerns the digital folders of the users, where people uploaded their private information. It includes IDs, driver's licenses, credit cards (with CVV numbers), club membership and loyalty cards, NRA cards, gift cards, medical insurance cards, medical marijuana cards, and more. Even worse, one of the buckets contained personally identifiable information (PII) such as full names, email addresses, locations (with ZIP codes), dates of birth, and membership ID numbers. Another S3 bucket contained user emails, home addresses, device and IP address information, and encrypted passwords. User registrations to promotional campaigns run by Kleenex, La Madeleine Bakery, Footlocker, and Mattel were also stored in one of the unprotected S3 buckets.

creditcard cvv

Source: VPN Mentor

As it becomes evident from the above, malicious actors could use this trove of data to conduct tax fraud, identity theft, account takeover, credit card fraud, or load stacking attacks against the exposed individuals. Of course, phishing and scamming attacks would be easy to launch, too, so there's a whole set of potential risks for these 14 million people now. If you are one of the Key Ring users, contact the company now and ask for advice on what to do next. If you had uploaded your credit card information to the app's digital folder, make sure to monitor your account and report any transactions that you don't recognize to your bank.

Apps like the 'Key Ring' promise convenience and benefits, but the security risks that are always involved in using them are never underlined. Thus, consumers are advised to trust no apps and no companies and share as little information with them as possible. Whatever amounts of time and money were saved thanks to using the 'Key Ring' app won't be enough to justify the trouble you'll have to go through now.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: