Cybernews researchers have confirmed that Tokee, a video and text messaging application, leaked the profile data of approximately 1.2 million users through an unsecured MongoDB database. The exposure represents the vast majority of the platform's known user base and was taken offline only after researchers notified the company and responsible authorities.
What Happened
Researchers discovered an exposed MongoDB instance belonging to Tokee that contained the personal data of roughly 1.2 million users. MongoDB is a widely deployed NoSQL database used by businesses to manage large volumes of structured and unstructured data, and misconfigured instances remain one of the most common sources of mass data exposure on the public internet. The same infrastructure also housed user chat messages, which researchers reported were encrypted using password-based OpenSSL encryption. After Cybernews disclosed the issue to Tokee and relevant authorities, the database was removed from public access.
What Was Taken
The exposed records included a rich set of identity and telemetry fields tied to individual user accounts:
- User display names
- Phone numbers stored as numeric values
- Profile avatars hosted on Firebase Storage
- Device tokens used for push notifications
- Internal user IDs
- Account creation and update timestamps
- "Last seen" activity indicators
- Account status flags such as premium versus non-premium tier
While the message bodies themselves were encrypted, the metadata and account attributes exposed are sufficient to enable targeted profiling, social engineering, and account takeover preparation.
Why It Matters
The Tokee incident reinforces a recurring lesson in modern application security: encrypting payloads does not compensate for a misconfigured data layer. The leaked dataset combines verified phone numbers, persistent user identifiers, and device push tokens, a trifecta that allows attackers to map identities across platforms, attempt SIM swap fraud, and deliver targeted phishing or smishing campaigns at scale. The presence of premium status flags also gives attackers a way to prioritize high value targets within the user base. For a messaging platform whose value proposition depends on user trust, the reputational impact compounds the regulatory exposure under GDPR, CCPA, and similar frameworks that treat phone numbers as protected personal data.
The Attack Technique
This was not an intrusion in the traditional sense. The data was accessible because the MongoDB database was reachable from the public internet without sufficient access controls, a configuration failure rather than an exploited vulnerability. Cybernews researchers located the instance through routine internet scanning and confirmed its contents before responsible disclosure. There is no indication at this time of malicious actor access, though the duration of exposure and any prior indexing by third parties remain unknown.
What Organizations Should Do
- Audit all MongoDB, Elasticsearch, and similar datastore deployments for public exposure, and enforce authentication, IP allowlisting, and TLS by default.
- Treat phone numbers and device push tokens as sensitive identifiers, not low risk metadata, and apply tokenization or hashing where business logic permits.
- Separate encrypted message payloads from account metadata at the infrastructure layer to limit the blast radius of any single misconfiguration.
- Implement continuous external attack surface monitoring to detect newly exposed services before researchers or attackers do.
- Rotate device push tokens and review push notification abuse controls following any suspected metadata exposure.
- Establish a documented vulnerability disclosure program so external researchers can report findings rapidly and remediation timelines are clear.
Sources: Messaging App Leaks Details Of 1.2M Profiles Online, Including Names And Phone Numbers