I contacted similar Finnish based application about similar issues, where almost everything, including all the user images could have been collected from the json api end point.

Their response was that it is not bad system or insecure because the information is only available for logged users. So the api just needs authentication header.

So all the user data could have been easily collected to own database using simple script.

> They managed to call me back in 30 minutes (I never gave them my number)

What does this mean? They tracked you down?

I imagine most mobile apps have access to the basic dialer info of the phone they're running on.

Apple actually doesn’t expose this via any iOS APIs. Not 100% sure about Android.

Pretty sure Android does. TikTok knew my phone number before I gave it to them.

Could be as easy as a friend of yours uploading their whole address book (ostensibly “to find friends”)

On Android you need to give it the READ_PHONE_STATE permission.

Does it expose any sort of "device id"? Such ids are usually asked for by advertisers and iOS and Android gladly give it to them. I'm sure there are device-id to phone-number maps out there, and anyone with money can get access to them.

The device id that you can get via any SDK on ios is not real. And, even if you can get by any other means then Apple would not approve your app.

Consider _any_ app you've linked your email and phone number to, could (in theory) sell access to your data to any other company that only has your email, and they have both. Or (as another commentor noted) the great many apps that upload your (friends) entire contact list. Consider all the id's, fingerprinting techniques (etc) out there, juxtaposed against the high value that information has (in marketing / ad space) and it seems likely there are many ways to get this information, whether or not you provided it.

Unique device IDs are app-specific.

They did their research.

How often do the researchers get paid for doing this sort of work?

An early stage company doesn’t have much to pay you with, but they’re thankful for the help.

From my perspective, protecting the data of 10k users was just as important as— or more important than— protecting the data of 1.5m users.

I feel bad when people assume negative intent. I don’t think anyone at this company wanted to violate the privacy of their users— they just didn’t get the message through the right channels.

> protecting the data of 10k users was just as important as— or more important than— protecting the data of 1.5m users

care to elaborate on a logic behind that?

One line of reasoning is that the everyone will know about companies leaking data of millions, so they can take steps to mitigate, whereas probably no one will know about a leak like this and just live unaware

IMO,

1) early users feel the most connected with your technology and are the most hurt when you screw them over. At that stage, it can sink your company. 2) fixing this when you have 10k users prevents you from leaking the data of the next 1.49m users.

In my last startup we received 5 bitcoin from Coinbase finding a relatively minor security bug. Prices were pretty low then though.

With hindsight hell of a call option.

Generally boils down to whether or not the company has some kind of bug bounty program. If they do and it’s in scope, you will probably get paid...in this case likely $1-5k.

Smaller companies that don’t have a bug bounty might provide a token reward just because, larger companies generally won’t.

Any company that hasn’t explicitly authorized ‘research’ might also choose to sue.

Larger companies put out bounties so that researchers will spend more time on specific issues they have.

Now you are assuming there IS a right person to talk to.

When everybody stink, you loose your freedom as anybody can pressure you.

It’s not because everybody stink that you know they/their stink or can exploit it.