Pray.com Exposed 10M Users' PII Online!

  • By Dawna M. Roberts
  • Nov 24, 2020

Widely used Christian app Pray.com exposed 10 million people’s personally identifiable information (PII) because of a misconfigured cloud storage space. Many of them weren’t even members!

What is Pray.com?

Pray.com, based out of Santa Monica, is the self-proclaimed #1 App for daily prayer and biblical audio content geared towards educating, inspiring, and helping users sleep. 

The app includes many audio and video snippets featuring famous voices such as Kristen Bell, Malcolm McDowell,  Blair Underwood, Joel Osteen, and James Earl Jones. There is something for everyone, even sleep stories and children's content. Subscriptions cost between $50-$120.

Pray.com is ranked pretty well on the Apple Store (#24 lifestyle app), and 1 million people have downloaded it on Google Play. 

What Happened and How?

Recently, vpnMentor discovered four misconfigured Amazon S3 buckets belonging to Pray.com. Roughly 80,000 of the files contained within were secured; however, the company failed to secure its Cloudfront CDN; therefore, millions of users' PII were exposed for several years. According to vpnMentor, "Cloudfront allows app developers to cache content on proxy servers hosted by AWS around the world – and closer to an app's users – rather than load those files from the app's servers. Doing so speeds up the app's performance considerably." Additionally, they commented that "Pray.com's developers accidentally created a backdoor that gave complete access to all the files they had tried to protect."

The result is that 1.8 million files in any of the S3 buckets could be viewed by hackers regardless of the individual file security settings. 

The files contained users' profile pictures (including avatars from private areas of the app), names, home addresses, email addresses, phone numbers, church CSV files, and churchgoers' donation information. Additionally, the app includes a feature where the person's entire contact list can be uploaded. Those files contained contact information, including name, phone number, email, home, work addresses, and marital status. Researchers also found private login details in the data. The cache of data dates back to 2016. 

The donation data is concerning because hackers could use that to gauge users' financial status who frequent the app and make donations online. Threat researchers at vpnMentor said, "The long lists of donations processed by Pray.com would give cybercriminals invaluable insight into the finances of app users and an opportunity to contact them appearing as the app, querying a previous donation."

Another big concern is that "The people whose data Pray.com had stored in these phonebook files were not app users. They were simply people whose contact details had been saved on a Pray.com user's device. In total, we believe Pray.com stored up to 10 million peoples' private data without their direct permission – and without its users realizing they were allowing it to happen."

Threat assessors warned those with .gov and .mil email addresses to look out for phishing campaigns aimed at identity theft or fraud. 

Misconfigured cloud storage (specifically S3) accounts for 16% of the 196 data breaches during 2018/2019. 

A final warning by vpnMentor stated, "By not protecting its users' data – while also aggressively harvesting the data of their friends and family – Pray.com has exposed millions of people to various dangers [like phishing, identity theft, and account takeover]. The implications for the app's users, and the general public, should not be understated."

How Pray.com Responded

 Although vpnMentor repeatedly contacted Pray.com to inform them of the data breach, the only response they received after many weeks was from the company's CEO, Steve Gatena that simply said: "Unsubscribe."

VpnMentor also contacted Amazon directly about the problem, and five weeks after that, the files were removed on Nov 17.

It is far too much to expect cybercriminals to leave hospitals and religious organizations alone. But it is also very alarming that in these times of widespread data breaches and ransomware attacks, companies are not evaluating their systems and improving infrastructure security to at least help minimize the damage. 

 
About the Author
IDStrong Logo

Related Articles

Instagram Vulnerability Allowed Hackers Access to Control Your Phone

Security experts Check Point Research discovered a critical vulnerability while examining Instagra ... Read More

Alien Malware Infects More than 226 Mobile Apps and Steals Bank Data

As reported on September 24, 2020, by ZDNet and ThreatPost, a new strain of malware named “A ... Read More

Universal Health Systems Hit by Ransomware Attack

Universal Health Systems (UHS), a Fortune 500 company owning more than 400 hospitals across the co ... Read More

Exchange Server Bug Exposes a Big Risk to Hackers

Months after Microsoft released a patch to fix a serious flaw in MS Exchange Server, more than 61% ... Read More

Clients’ Bank Data Exposed in Blackbaud Ransomware Attack

Blackbaud software was victim to a ransomware attack last May, and new information suggests that c ... Read More

Latest Articles

What is an Incident Response?

What is an Incident Response?

What is an Incident Response? After a bank heist, the work begins with specialized teams and plans engaged, allowing for analysis of the event, and from this analysis, the bank can prepare a response to the incident.

What is a Social Engineering Attack? Techniques and Ways to Prevent

What is a Social Engineering Attack? Techniques and Ways to Prevent

Everyone has received a spam text or email at some point. Their hallmarks are widely known; they often include poor or strange grammar, suspicious links, suggested connections with companies or people, or random individuals asking for help in some capacity.

Side Channel Attack: Everything You Need To Know

Side Channel Attack: Everything You Need To Know

Every year, millions of people get victimized by data breaches. Criminals steal their data from the network environments of organizations, vendors, providers, institutions, and governments; with ever-increasing frequency, cybercriminals are making big moves in the cyber wars—and making billions of dollars. 

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.

Free Identity Exposure Scan
Instantly and Securely Check if Your Personal Information is Exposed on the Dark Web or Sold by Data Brokers
Please enter first name
Please enter last name
Please select a state
Close
Free Identity Threat Scan
Instantly Check if Your Personal Information is Exposed
All fields below are required
Please enter first name
Please enter last name
Please enter a city
Please select a state
Please enter an age
Please enter an email address
Close