A popular app allowing parents to track their baby’s special moments by storing
videos, pictures, height, weight, location, and other milestones in a child’s development has leaked thousands of those special moments online.
Peekaboo Moments, developed by Bithouse Inc., failed to secure an Elasticsearch database containing over 70 million log files containing Peekaboo Moments user’s data, including links to videos, photos, and geo-location coordinates.
The unsecured database was discovered by Dan Ehrlich, from the USbased computer security consulting firm Twelve Security. Peekaboo Moments
appears to be run by a Chinese based company, and the Singapore-based Alibaba Cloud hosted the server in question. According to the Peekaboo Moments
Google app profile page, the company states, “We completely understand how
these moments are important to you,” and “Data privacy and security come as
our priority. Every baby’s photos, audios & videos or diaries will be stored in
secured space. Only families and friends can have access to baby’s moments at
At this point, it is not clear how long the Elasticsearch server has been exposed
or who has accessed the data.
The Peekaboo Moments app has been downloading over a million times, according to the Google app page, and still boasts
a review rating of 4.6 out of 5 by over 69,000 reviews. The Information Security
Media Group (ISMG) has reached out multiple times to Peekaboo Moments
CEO Jason Liu, based in San-Francisco for information on the breach with no
reply. ISMG also reached out to Ehrlich for comment, and he stated, “I’ve never
seen a server so blatantly open,” and that, “Everything about the server, the
company’s website and the iOS/Android app was both bizarrely done and grossly insecure.”
The data breach also exposed Facebook API keys used to upload photos and
videos from the popular app to Peekaboo Moments user accounts. The API keys
allow attackers to gain access to content on Peekaboo user’s Facebook pages.
Facebook was notified Wednesday of the breach, but it has not responded yet,
nor is it known if they have revoked the developers compromised API keys.
Founder of the data breach notification service Have I Been Pwned, Troy Hunt,
explains that the data breach itself is relatively standard. But what is disturbing
is the complete unresponsiveness from the developers. “Here we have an organization trusted by a huge number of people to protect their precious memories, and they won’t even respond to reports of a very serious data security incident,” Hunt says. “That’s very alarming.”