Report: Data Breach Exposes Victims on Abuse Prevention App

vpnMentor’s research team, led by renowned analysts Noam Rotem and Ran Locar, recently discovered an incredibly sensitive data breach originating from the domestic violence prevention app Aspire News App.

Built by the US non-profit When Georgia Smiled, Aspire News App can be installed on a user’s phone to appear as a news app. However, it also features an emergency help section with resources for domestic abuse victims, including a function for them to send emergency distress messages to a trusted contact person.

These distress messages can be sent via voice recording, with a victim’s details, home address, the nature of their emergency, and their current location. The developers of the Aspire News App had stored over 4,000 voice recordings on a misconfigured Amazon Web Services (AWS) S3 bucket, allowing any files to be viewed and downloaded, similar to a cloud storage folder.

Although it’s now secured, this data breach represents a significant lapse in basic data security by Aspire News App and When Georgia Smiled.

Every data breach creates a degree of risk for those affected. However, an app built for domestic abuse victims has a much greater responsibility to its users. Aspire News App was built to keep victims safe, but by not protecting their identities, the app risked putting them in even more danger.

This data breach is a lesson to all developers, especially those creating apps for domestic abuse victims or other at-risk groups, that data privacy must be a priority at all times.

Data Breach Summary

Company Profile

The Aspire News App was built by When Georgia Smiled, a non-profit founded by American TV personalities Robin McGraw and her husband “Dr. Phil” McGraw.

When Georgia Smiled was founded to help “advance organizations and programs that serve victims of domestic violence, sexual assault, child abuse and individuals facing crisis to live healthy, safe and joy-filled lives.”

Aspire News App is just one part of that broader mission. Built to appear as a news and entertainment app, Aspire News App is meant to keep domestic victims safe, educate them on abusive relationships and the support available for victims, and help them send emergency distress messages to trusted contacts.

Trusted contacts added within the app can be alerted with or without the user's location information.

Based on user reviews, both the iOS and Android versions of the Aspire News App have major technical issues that make it difficult to use. Users have also highlighted design flaws and features of the app that actually endanger people in abusive relationships.

Timeline of Discovery and Owner Reaction

Sometimes, the extent of a data breach and the owner of the data are obvious, and the issue quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what’s at stake or who’s exposing the data.

Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.

Some affected parties deny the facts, disregarding our research, or playing down its impact. So, we need to be thorough and make sure everything we find is correct and accurate.

In this case, the exposed voice recordings were stored on a publicly accessible AWS S3 bucket, a popular form of cloud data storage.

Given the sensitive nature, we worked to quickly identify the owner of the data and reached out to organizations connected to the app: When Georgia Smiled and the Dr. Phil Foundation. 

While awaiting a reply from the organizations responsible for the Aspire News App, we also contacted AWS directly to notify them of the breach.

Lastly, we contacted Zack Whittaker at Techcrunch, who verified the breach independently and assisted in contacting the parties involved.

Eventually, we received an email from AWS stating they contacted the owners of the data and raised the issue with them.

Shortly after, the breach was closed.

• Date discovered: 24th June 2020
• Date vendors contacted: 24th June 2020
• Date Amazon Contacted 24th June 2020
• Date of Response: from Amazon: 24th June 2020
• Date of Action (Data Secured): 24th June 2020

Example of Entries in the S3 Bucket

The exposed S3 bucket was live, with new voice recordings uploaded as recently as the 23rd of June (the day before we discovered the breach). On some days, up to 10 records were being uploaded by users.

Each of these voice recordings could have easily been listened to and downloaded by anyone with the S3 bucket’s URL address.

In the voice recordings we sampled, victims revealed highly sensitive Personally Identifiable Information (PII) data about themselves and their partners, family members, or abusers. These included:

• Victims’ full names and home addresses
• Details of their emergencies and/or personal circumstances
• Abusers’ names and personal details

The following are transcripts taken from two recordings on Aspire News App’s S3 bucket:

In total, we found over 4,000 voice recordings in Aspire News App’s misconfigured S3 bucket.

The samples we listened to appeared to be pre-recorded, most likely when a victim had only a few minutes alone and needed to record and save a distress message quickly. They could then instantly send the saved message to an emergency contact any time they felt in danger, by pressing a button on the app.

This highlights the extreme conditions under which domestic abuse victims live, and the real physical danger if they’re caught seeking help from outside the home.

Furthermore, after months of government-mandated lockdowns across the USA, domestic abuse charities, police departments, and government agencies have recorded huge increases in domestic violence cases being reported.

With many victims forced to stay in close quarters with the abusers for unusually long periods, and unable to access support, an app like Aspire News App is a crucial lifeline. This is evidenced by the high number of messages being uploaded on a daily basis throughout June alone.

However, by not securing these voice recordings, the developers potentially inadvertently put victims in even more danger.

Data Breach Impact

For Aspire News App Users

This data breach could have created a real physical danger for users. If the recordings were leaked to the public, anyone living with an abusive partner could face punishment for trying to leave or report them to authorities.

Even if somebody had escaped an abusive relationship, but had sent a distress message via Aspire News App, they could face retaliation by former partners for indirectly exposing them as an abuser.

The data breach also risked triggering deep traumas in a victim of domestic abuse, forcing them to relive past abuse, had their details leaked to the public in any way.

Unfortunately, such an outcome could also lead to feelings of shame and isolation, if a victim’s abuse was kept secret and now exposed to friends, family, colleagues, and the general public.

Most concerning of all, had malicious or criminal hackers accessed these recordings, they could be weaponized against both victims and abusers to pursue blackmail and extortion campaigns.

The potential devastation caused by such an outcome can’t be overstated, risking the health, emotional well-being, and safety of all those impacted.

For Aspire News App

When Georgia Smiled and the developers of the Aspire News App could face considerable scrutiny and criticism for committing such a fundamental error and not protecting its users.

Publicity surrounding the data breach will undoubtedly focus on the app’s high profile backers - Dr. Phil and his wife, Robin McGraw - bringing further negative press attention to the breach.

As well as the bad publicity, When Georgia Smiled could also face investigations and auditing from US government agencies concerned about the highly sensitive nature of the data exposed.

However, the worst-case scenario for When Georgia Smiled could be losing users. If domestic abuse victims don’t feel safe using the app, they’ll no longer do so. The result? Fewer victims escaping abusive relationships.

By not maintaining higher data privacy standards, the Aspire News App risked becoming an obstacle in its own mission.

Advice from the Experts

The Aspire News App’s developers could have easily avoided exposing its customers’ recordings if it had taken some basic security measures to protect them. These include, but are not limited to:

1. Implementing proper access rules, disallowing listing the files in the bucket.
2. Configuring the buckets to allow only authenticated requests to download files.
3. Encrypting sensitive data stored in the bucket.

Any company can replicate the same steps, no matter its size.

For a more in-depth guide on how to protect your business, check out our guide to securing your website and online data from hackers.

Securing an Open S3 Bucket

It’s important to note that open, publicly viewable S3 buckets are not a flaw of AWS. They’re usually the result of an error by the owner of the bucket. Amazon provides detailed instructions to AWS users and warnings when a bucket is misconfigured, to help them secure S3 buckets and keep them private.

In the case of the Aspire News App, the quickest way to fix this error would be to:

• Make the bucket private and add authentication protocols.
• Follow AWS access and authentication best practices.
• Add more layers of protection to their S3 bucket to further restrict who can access it from every point of entry.
• Encrypt the recordings stored in the AWS bucket, so that even if a party gains access to the files, they would be useless.

For Aspire News App Users

If you or someone you know uses the Aspire News App, and you're concerned about how this breach might impact you, contact When Georgia Smiled directly to determine what steps it's taking to protect your data.

To learn about data vulnerabilities in general, read our complete guide to online privacy.

It shows you the many ways cybercriminals target internet users, and the steps you can take to stay safe.

How and Why We Discovered the Breach

The vpnMentor research team discovered the Aspire News App’s data breach as part of a huge web mapping project. Our researchers use port scanning to examine particular IP blocks and test different systems for weaknesses or vulnerabilities. They examine each weakness for any data being exposed.

Our team was able to find this S3 bucket because it was completely unsecured and unencrypted.

Whenever we find a data breach, we use expert techniques to verify the owner of the data.

As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. We reached out to all those involved in the app, not only to let them know about the vulnerability but also to suggest ways to make their system secure.

These ethics also mean we carry a responsibility to the public. Aspire News App users must be aware of a data breach that exposes so much of their sensitive data.

The purpose of this web mapping project is to help make the internet safer for all users. 

Introducing The Leak Box

To ensure our mission has the most significant impact possible, we’ve also built The Leak Box.

Situated on the dark web, the Leak Box enables ethical hackers to report any discovered online data breach anonymously. We then authenticate and disclose any submission that is assessed to be a legitimate risk to the safety of the public.

We never sell, store, or expose any information we encounter during our security research. This includes any information reported to us via The Leak Box.

About Us and Previous Reports

vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.

Our ethical security research team has discovered and disclosed some of the most impactful data breaches in recent years.

This has included an enormous data breach exposing the data of 100,000s of niche dating app users. We also revealed that an e-learning platform had compromised the privacy and security of customers all over the world. You may also want to read our VPN Leak Report and Data Privacy Stats Report.

Editor's Note: We would like to acknowledge the assistance we received from Zack Whittaker, Security Editor at TechCrunch, in contacting the organization behind Aspire News App and helping us make sure the misconfigured bucket was secured in less than 24 hours.

If you’re experiencing domestic violence, or know someone who needs help, know that you have resources available at any time, and your country has a national hotline dedicated to supporting you.

For US residents, the National Domestic Violence Hotline (1-800-799-7233) is free and available 24/7. If you find yourself in a dangerous situation that requires immediate help, call 911.

[Publication date: 25th June 2020]