“Panion” Social Media App Exposed User Location Data

• A Swedish social media app left an AWS S3 bucket exposed to anyone with a web browser.
• The details that have been compromised include names, emails, images, private chats, and location coordinates.
• Panion should now undergo a GDPR investigation for mishandling user data and failing to report a security incident.

Sharing your private and sensitive data with social media platforms is something that all users have to accept, and what matters for them is how responsibly the platform handles and protects that data. In the case of the Swedish social media platform “Panion,” the situation could be much worse, as the company's admins left a service bucket exposed online without requiring a password for access. The discovery was made by CyberNews investigators, who are always on the look for such exposures.

Thanks to their work and timely notice, Panion secured the leaky Amazon S3 bucket and locked the 694,116 files contained in it. There were roughly 2.5 million user records in these files, including full names, email addresses, genders, interests, images, selfies, document photos, private chats, and even location coordinates. Of these records, 171,855 concern unique users, so this is the number of people who were exposed to the internet.

The bucket was discovered on September 17, 2020, but Panion wasn’t very quick to respond. Eventually, the social media firm disabled public access to its server on September 25, 2020, but the total duration of the exposure remains unknown. Even if it’s eight days, which would be the minimum, it’d still be more than enough for bot crawlers to locate it and for malicious actors to exfiltrate the data.

That said, if you’re a Panion user, go ahead and reset your credentials on the platform immediately. If you were using the same password elsewhere, change it and pick something unique and strong enough. It is also possible that you will receive phishing emails now, so be aware of this and stay alert against scamming attempts.

Read More: Three Million Cards From “Dickey’s” Restaurants for Sale on “Joker’s Stash”

Finally, since Panion is based in Malmö, Sweden, this security incident falls under the GDPR, so an investigation could incur hefty fines to the company. If you are using the app and are an EU citizen, you’d better take the initiative to inform your country’s data protection office to initiate the proper procedure.

Panion’s userbase is mostly based in Sweden, but people from Denmark and the United States also use it. These users are possibly immigrants from Sweden who are looking to stay in touch with their friends and relatives back home. Unfortunately for them, Panion betrayed their trust and exposed their sensitive details online.