Three Photo ID Apps Expose Sensitive Data of 152K Users via Misconfigured Firebase Instances
Cybersecurity researchers at Cybernews uncovered three popular mobile apps leaking highly sensitive user data through exposed Firebase instances. The misconfigured databases, lacking proper authentication and access controls, exposed emails, usernames (often including full names), Firebase Cloud Messaging (FCM) tokens, profile photos, and GPS coordinates data that could enable phishing, identity theft, and even physical tracking of users’ movements.
The affected apps Dog Breed Identifier Photo Cam (66,182 users exposed), Spider Identifier App by Photo (40,779 users exposed), and Insect Identifier by Photo Cam (45,005 users exposed) collectively have over 2 million downloads on Android. While not all users were impacted, those who enabled optional features tied to the misconfigured databases were at risk.
Evidence suggests hackers had already accessed the data, as researchers discovered a Proof-of-Concept entry a common indicator left by automated bots scanning for unsecured databases. Despite repeated attempts, Cybernews was unable to contact the app developers for remediation.
The breach highlights the risks of assuming app security based on popularity alone, as even widely downloaded applications can harbor critical vulnerabilities. The exposed GPS data, in particular, raises concerns about potential stalking or targeted attacks.
MundoGEO cybersecurity rating report: https://www.rankiteo.com/company/mundogeo
Spider ID cybersecurity rating report: https://www.rankiteo.com/company/spiderid
"id": "MUNSPI1770645203",
"linkid": "mundogeo, spiderid",
"type": "Breach",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '66,182',
'industry': 'Photo Identification',
'name': 'Dog Breed Identifier Photo Cam',
'type': 'Mobile App'},
{'customers_affected': '40,779',
'industry': 'Photo Identification',
'name': 'Spider Identifier App by Photo',
'type': 'Mobile App'},
{'customers_affected': '45,005',
'industry': 'Photo Identification',
'name': 'Insect Identifier by Photo Cam',
'type': 'Mobile App'}],
'attack_vector': 'Misconfigured Database',
'data_breach': {'data_exfiltration': 'Evidence suggests hackers had already '
'accessed the data',
'file_types_exposed': ['Photos'],
'number_of_records_exposed': '152,000',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Emails',
'Usernames',
'FCM tokens',
'Profile photos',
'GPS coordinates']},
'description': 'Cybersecurity researchers at Cybernews uncovered three '
'popular mobile apps leaking highly sensitive user data '
'through exposed Firebase instances. The misconfigured '
'databases, lacking proper authentication and access controls, '
'exposed emails, usernames (often including full names), '
'Firebase Cloud Messaging (FCM) tokens, profile photos, and '
'GPS coordinates data that could enable phishing, identity '
'theft, and even physical tracking of users’ movements.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'exposure of sensitive user data',
'data_compromised': 'Emails, usernames, FCM tokens, profile '
'photos, GPS coordinates',
'identity_theft_risk': 'High',
'systems_affected': 'Firebase databases of three mobile apps'},
'lessons_learned': 'The breach highlights the risks of assuming app security '
'based on popularity alone, as even widely downloaded '
'applications can harbor critical vulnerabilities.',
'post_incident_analysis': {'root_causes': 'Misconfigured Firebase instances '
'lacking proper authentication and '
'access controls'},
'references': [{'source': 'Cybernews'}],
'title': 'Three Photo ID Apps Expose Sensitive Data of 152K Users via '
'Misconfigured Firebase Instances',
'type': 'Data Breach',
'vulnerability_exploited': 'Lack of authentication and access controls in '
'Firebase instances'}