Blind is the anonymous social network that let employees vent their workplaces frustrations. It also lets workers share more serious issues such as improper conduct, wrongdoing, or unfair treatment of employees. But a breach in security made it possible for anyone who knew where to look to access the account information of members when it accidentally left one of its database servers exposed without a password.
Users are now worried that their exposed identities and messages could lead to serious repercussions if revealed to their employers.
The South Korean company launched Blink into the US market back in 2015, achieving rapid success as it became popular among employees of leading tech companies such as Apple, Facebook, Google, Microsoft, Twitter, and Uber.
Blind has been a financial success as well, raising $10 million dollars last year and $6 million the year before. But most people found out about the app when it was used to reveal sexual harassment at Uber. This resulted in Uber blocking the app on its corporate network.
Mossab H., a security expert, discovered the flaw in the server backend on both Korean and US versions of the app and informed Blind. In an e-mail to TechCrunch, Blind executive Kyum Kim said the flaw only impacts users who signed up or logged in between November 1 and December 19 and that “the exposure relates to a single server, one among many servers on our platform.”
The social network only closed the server when TechCrunch followed up by email a week later, after which it also started sending emails to its users informing them about the security snafu.
The email said, in part:
“While developing an internal tool to improve our service for our users, we became aware of an error that exposed user data.”
Kim said that there was no evidence that data was accessed or misused but did not mention how the company knew this.
The company also did not specify if it will be reaching out to US state regulators. Blind’s chief executive Sunguk Moon did not acknowledge the affected server.
The breach could have potentially given bad actors access to the real-time stream of users’ logins, posts, and comments. The database also exposed unencrypted private messages exchanged between users, though it did not expose users’ associated email addresses. Blind claims that e-mail addresses are not stored on the servers and are only used to confirm employment and give users access to their company’s chat board.
While TechCrunch didn’t find any exposed email addresses, it said the leak did reveal users’ unique member IDs.
There are a lot of questions left unanswered, but currently, Blind’s response has been far from reassuring. Only time will tell what will happen to Blind and its users once the dust settles.