Pray.com is a popular Christian faith app used for daily prayers and biblical audio content. It has been downloaded by several million users from the Play Store. Recently, Pray.com has exposed personal data of 10 million users dating back to 2016.
Researchers at vpnMentor discovered four misconfigured AWS S3 buckets belonging to the company. Although it had made private around 80,000 files, it failed to replicate these security measures on its Cloudfront CDN, which also had access to the files. This means a hacker could have released personal information of 10 million people, most of whom were not even Pray.com users.
As explained by vpnMentor the app did not install prper security measures on its CloudFront account and as a result of this, any files on the S3 buckets could be indirectly viewed and accessed through the CDN, regardless of their individual security settings.
The exposed database included profile pics from app users, CSV files from churches using the app, with the names, home and email addresses, phone numbers and other info on churchgoers and PII of individuals donating to churches via the app.
However, the incident is still under thorough investigation conducted by CCPA and GDPR. The researchers warned that individuals caught up in the leak, some of whom had .gov and .mil email addresses, were at risk from follow-on phishing, identity fraud and account takeover.