An open Elasticsearch database belonging to a company
named Covve leaked online, impacting around 23 million email addresses and
other personal details.
Troy Hunt, the researcher behind the Have I Been Pwned
a while back about a data breach he dubbed “db8151dd” after one of the unique
global identifiers used inside the database. It’s a 90GB trove of personal
information that has millions of entries, with personal information. The
weirdest part was that nobody knew where it came from.
Now, the source of that data breach was identified as
coming from Covve, which has a popular contacts app, with CRM features,
business cards, and more. Covve recently acknowledged a security incident.
“Data belonging to approximately 90,000 users was
compromised by a 3rd party who gained unauthorized access to a legacy system
before it was decommissioned in early January,” said Covve on their blog.
“This system related to the now-retired Covve web app. It appears at this stage
that contact data such as name and contact details were accessed, that the data
cannot be directly associated with specific users, and no user passwords were
The biggest problem with this data breach is that it
affects people who had nothing to do with the app. For example, if someone had
your phone number and email address and used the Covve app, your data was
leaked just the same.
And since the Covve app scraped the Internet for details
on contacts people added into the app, the size of the breach becomes all the
more evident. Unfortunately, users can’t do a whole lot about this problem,
especially since the breach affects mostly people who have nothing to do with