AngelSense GPS Leak Left Sensitive User Information Exposes Online

• Sensitive user data, such as location history, has been exposed online in the AngelSense data breach.
• An attacker who knew the database's public IP address could see users’ health details and PIIs.
• Moreover, partial credit card information and authentication tokens were visible in plaintext.

AngelSense recently suffered a significant data breach that exposed its users' sensitive personally identifiable information (PII) and GPS location logs to the open internet due to an unprotected internal database left exposed online without a password.

AngelSense is a New Jersey-based assistive technology company that provides GPS tracking and location monitoring devices for people with disabilities and determines whether a monitored person is in peril, keeping logs of user geolocation activity changes.

The security lapse allowed anyone with knowledge of the database's public IP address to access the data. 

The discovery, first spotted by security firm UpGuard, revealed that the database contained sensitive user details, including names, home addresses, phone numbers, GPS coordinates, email addresses, and passwords. 

Disturbingly, associated health information about subjects being monitored—such as conditions like autism, down syndrome, and dementia—was also exposed. Additionally, partial credit card information and authentication tokens were visible in plaintext, further compounding the severity of the breach.

UpGuard first identified the exposed database on January 14, and its presence was confirmed through Shodan, a search engine for internet-facing devices and systems. However, the exact duration of the exposure remains unclear, as does the total number of affected individuals.

AngelSense was notified of the vulnerability more than a week before taking corrective action, and the firm's CEO confirmed the vulnerability, stating they acted promptly to validate the findings and resolve the issue. 

However, the company claimed there is no evidence to suggest that the information was accessed by unauthorized parties or misused. The company declined to specify whether it had the technical capacity to determine illegitimate access during the exposure period.  

In other news, license-plate-recognition systems expose live video feeds and sensitive vehicle data due to misconfigurations of individual Motorola ALPR cameras across the U.S.