Pray.com Exposed 10M Users' PII Online!
Table of Contents
- By Dawna M. Roberts
- Nov 24, 2020
Widely used Christian app Pray.com exposed 10 million people’s personally identifiable information (PII) because of a misconfigured cloud storage space. Many of them weren’t even members!
What is Pray.com?
Pray.com, based out of Santa Monica, is the self-proclaimed #1 App for daily prayer and biblical audio content geared towards educating, inspiring, and helping users sleep.
The app includes many audio and video snippets featuring famous voices such as Kristen Bell, Malcolm McDowell, Blair Underwood, Joel Osteen, and James Earl Jones. There is something for everyone, even sleep stories and children's content. Subscriptions cost between $50-$120.
Pray.com is ranked pretty well on the Apple Store (#24 lifestyle app), and 1 million people have downloaded it on Google Play.
What Happened and How?
Recently, vpnMentor discovered four misconfigured Amazon S3 buckets belonging to Pray.com. Roughly 80,000 of the files contained within were secured; however, the company failed to secure its Cloudfront CDN; therefore, millions of users' PII were exposed for several years. According to vpnMentor, "Cloudfront allows app developers to cache content on proxy servers hosted by AWS around the world – and closer to an app's users – rather than load those files from the app's servers. Doing so speeds up the app's performance considerably." Additionally, they commented that "Pray.com's developers accidentally created a backdoor that gave complete access to all the files they had tried to protect."
The result is that 1.8 million files in any of the S3 buckets could be viewed by hackers regardless of the individual file security settings.
The files contained users' profile pictures (including avatars from private areas of the app), names, home addresses, email addresses, phone numbers, church CSV files, and churchgoers' donation information. Additionally, the app includes a feature where the person's entire contact list can be uploaded. Those files contained contact information, including name, phone number, email, home, work addresses, and marital status. Researchers also found private login details in the data. The cache of data dates back to 2016.
The donation data is concerning because hackers could use that to gauge users' financial status who frequent the app and make donations online. Threat researchers at vpnMentor said, "The long lists of donations processed by Pray.com would give cybercriminals invaluable insight into the finances of app users and an opportunity to contact them appearing as the app, querying a previous donation."
Another big concern is that "The people whose data Pray.com had stored in these phonebook files were not app users. They were simply people whose contact details had been saved on a Pray.com user's device. In total, we believe Pray.com stored up to 10 million peoples' private data without their direct permission – and without its users realizing they were allowing it to happen."
Threat assessors warned those with .gov and .mil email addresses to look out for phishing campaigns aimed at identity theft or fraud.
Misconfigured cloud storage (specifically S3) accounts for 16% of the 196 data breaches during 2018/2019.
A final warning by vpnMentor stated, "By not protecting its users' data – while also aggressively harvesting the data of their friends and family – Pray.com has exposed millions of people to various dangers [like phishing, identity theft, and account takeover]. The implications for the app's users, and the general public, should not be understated."
How Pray.com Responded
Although vpnMentor repeatedly contacted Pray.com to inform them of the data breach, the only response they received after many weeks was from the company's CEO, Steve Gatena that simply said: "Unsubscribe."
VpnMentor also contacted Amazon directly about the problem, and five weeks after that, the files were removed on Nov 17.
It is far too much to expect cybercriminals to leave hospitals and religious organizations alone. But it is also very alarming that in these times of widespread data breaches and ransomware attacks, companies are not evaluating their systems and improving infrastructure security to at least help minimize the damage.