A security lapse at Blind revealed users’ account information and complaints

security lapse exposed blind server

Blind – an app-based ‘anonymous’ social network was indeed a safe way for the workforce to reveal malfeasance, wrongdoing and improper conduct at their workplaces. But recently, one of its servers was exposed, without requiring a password, making it possible for anyone to access users’ account information and thus identify who would-be whistleblowers in every organization.

The compromised server was found by a security researcher Mossab H who promptly informed the company about the security lapse. Blind’s exposed ElasticSearch database contained several tables, including private messaging data and web-based content, for both of its U.S. and Korean sites. 

The exposure relates to “a single server, one among many servers on our platform,” said a Blind executive Kyum Kim in an email. Only the users who signed up or logged in between November 1 and December 19 were affected, the company added.

The South Korean company quickly became a highly popular anonymous social network in the U.S. for major tech companies like Apple, Uber, Google, Microsoft, and more. Blind became the root of several high profile scandals including revealing allegations of sexual harassment at Uber. The ridesharing company however later blocked the app on its corporate network.

After the recent security incident, the company began emailing its users saying, “While developing an internal tool to improve our service for our users, we became aware of an error that exposed user data.” Kim also said that there is “no evidence” that the database was misappropriated or misused when it remained vulnerable.