A misconfigured MongoDB database belonging to Tokee, a video and text messaging app, exposed the personal details of approximately 1.2 million users, representing the vast majority of the platform's user base, until Cybernews researchers reported the issue to the company and relevant authorities.
The exposed data included user display names, phone numbers, profile avatars hosted on Firebase Storage, device tokens used for push notifications, user IDs, account creation and update timestamps, "last seen" activity indicators, and account status flags distinguishing premium and non-premium users. Chat messages stored in the same database were encrypted using password-based OpenSSL encryption and were not exposed as readable content.
Device tokens are of particular concern because they can be used to send targeted phishing and spam directly to users' devices. Combined with display names and activity timestamps, the dataset is sufficient to build detailed profiles of individual users.
Although user chat messages stored in the same infrastructure appear to be encrypted using password-based OpenSSL encryption, the exposed personal data alone presents significant privacy, security, and regulatory risks. The case also reinforces that encryption alone is insufficient without proper infrastructure security.
After Cybernews contacted the company and the responsible authorities, the exposed database was taken offline. The full technical report is available at cybernews.com. Tokee had not responded to a request for comment at the time of publication.
