Security researchers have uncovered an unprotected database belonging to the Tokee messaging app, exposing the profiles of approximately 1.2 million users. While chat logs remained encrypted, the leaked personal data includes phone numbers and profile details, raising significant privacy, security, and regulatory concerns.
- Database exposed user profiles of about 1.2 million Tokee users
- Sensitive information like phone numbers and device tokens were accessible
- Encrypted chat logs remain protected but personal data still poses risks
What happened
Cybersecurity researchers discovered that Tokee, a messaging app developed by Deucetek in the US, had stored user data in an unprotected MongoDB database. This exposed information included user display names, phone numbers stored as numbers, profile pictures, device tokens used for push notifications, user IDs, activity timestamps, and account status flags. The database was not secured by a password, allowing anyone who found it to access this sensitive data.
Although chat logs were present in the database, these messages were encrypted using password-based OpenSSL encryption, mitigating the immediate threat to message content. Following responsible disclosure of the vulnerability, Deucetek secured the database, and no indications show that the data was abused or distributed on the dark web.
Why it matters
The exposed personal data of about 1.2 million users — likely representing most of Tokee’s user base — presents serious privacy and security challenges. Such information can be used for identity theft, phishing attacks, social engineering, or unauthorized access to user accounts on other services. Device tokens and phone numbers in particular can facilitate targeted scams or intrusive notifications.
From a regulatory standpoint, the data leak could draw scrutiny under privacy laws depending on the jurisdictions where affected users reside. Companies handling sensitive user data are expected to implement robust security measures to prevent leaks like this. The incident underscores the importance of proper database security and encryption standards for smaller platforms that may not have the resources or expertise of major competitors.
What to watch next
Users of Tokee should remain vigilant towards suspicious messages, especially those purporting to come from Tokee or its parent company Deucetek, as leaked contact information could fuel phishing campaigns. Monitoring account activity and changing passwords where applicable is advisable to reduce risk.
On the industry side, regulators or data protection authorities might investigate the incident to assess any violations or whether fines or mandatory audits are warranted. The event also serves as a cautionary tale for emerging messaging apps to invest in strong cybersecurity defenses and regular audits to safeguard user data and maintain trust.