Response to Teammate App's Notification and Disclosure
First they claimed they were impossible to hack. Then they claimed I hacked them. Both claims are factually inaccurate.
There's an update to my report about a data exposure I discovered and reported to Teammate App.
Teammate App has sent out a notification to its clients that seems to accuse me of being a criminal that hacked into their database, even though there was no hacking involved at all. Attempting to deflect the issue from their failed security to the person who reported the failure to them is a common strategy used by those trying to avoid accountability.
A few points about the disclosure
I will be prefixing snippets of what was said by Teammate App on the disclosure with T and quoting the text that was extracted directly from the disclosure.
T: “there was for a brief period where there was an open the port for internal debugging and data verification purposes.”
Findings
Queries by BinaryEdge for Teammate App IP show that the brief period the company mentions was 2.5 months.
In the second image, we can see that anyone connecting to the tables had “read” and “write” privileges. (readOnly : false)
The port that allowed unauthenticated connections was also the default port MongoDB uses.
T: “as to his illegal and unauthorised access by bypassing security controls into any databases.”
Findings
There were no security controls to bypass so none were bypassed at all. Everything was freely available for anyone who found the IP to the server on websites such as BinaryEdge.
T: They emphasize that no files were "extracted."
Findings
That is factually inaccurate, and I will provide the NZ Privacy Commissioner with proof of that. For them to repeat that no files were extracted suggests that Teammate App either had no logs at all or had logs that were inadequate to determine how many IPs accessed their data. I will leave that up to the NZ Privacy Commissioner to determine but clients may wish to insist Teammate show them all logs related to the period the data was exposed publicly.
T: The company also writes about trying to “apprehend me” and “reporting me” to the NZ Commissioner, the police, and Substack.
No crime has been committed, and should Substack remove the post, it will be mirrored elsewhere so that everyone understands that this was not a hacking incident but a data leak by TeammateApp that they are trying to minimize and blame on others.
One final note
To date no entity has refuted or shown any inaccurate claims made on the ~50 public reports I have.
Teammate App claims they are contacting the NZ Privacy Commissioner about this incident, I will also be contacting the Commissioner's office to provide more data and evidence concerning the leak that Teammate seems to be denying or minimizing.
Finally a great thanks to a number of Teammate’s clients who have privately contacted me to thank me for my post and efforts to get their data secured properly. They were so offended by Teammate's attempt to throw me under the nearest bus that I received copies of Teammate's disclosure and notification from multiple people.
If you’re interested in more incidents I dealt with, you can check all my public finds indexed by country on the post below:
