Vidigami Leaks Photos and Account Information online
School Photo Storage Company Vidigami Leaks Photos and Account Information online.
Vidigami is a photo management solution designed for schools and according to their website “More than 100 leading independent schools in North America have chosen Vidigami as their photo management solution for school memories”.
On July 12th the MacKeeper Security Research Center identified an unsecure database that was publicly available and accessible without any form authorization. The database contained details on 118 thousand accounts and profiles, including login details (such as email) and hashed passwords, plus links to the images and archives.
The discovery was made using Shodan public search as part of weekly external security monitoring routine.
The MacKeeper Security Research Team was in contact with Sean Cunningham, who is a full-stack developer in Vidigami. He later confirmed that this MongoDB server was part of their testing environment and is not the live data of the service.
Whether or not is was "testing environment" you can judge by looking into redacted snapshots taken from the staging server. It still contained a trove of customer data such as login email, usernames, hashed passwords, images and archives.
Upon further communications Sean admitted that they indeed had technical issues that included a faulty configuration of the "Fail2Ban" service on their machines. Fail2Ban must be additionally configured to work alongside the firewall, the UFW was temporarily turned off for work to commence on the server. It was following this configuration of the fail2ban service that their UFW had encountered an error (based on a misunderstanding of the proper way to integrate the two services), and therefore causing the failed startup of the UFW.
According to Vidigami, no data was affected but they are going to notify the users anyway. The MacKeeper Security Research Team has confirmed that the data is now secured and is not publically accessible. Vidigami was open and transparent on the notification of the data leak and acted fast to respond and secure the database.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to Kromtech Security Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org