BrewDog, the Scottish brewery and pub chain famous for its crowd-ownership model and the tasty IPAs, has irreversibly exposed the details of 200,000 of its shareholders and customers.
The exposure lasted for over 18 months and the point of the leak was the firm’s mobile app, which gives the ‘Equity Punks’ community access to information, discounts at bars, and more.
As detailed in a PenTestPartners report, the problem lies in the app’s API, and more specifically, its token-based authentication system. The security blunder comes from the fact that these tokens were hard-coded into the mobile application instead of being transmitted to it following a successful user authentication event.
Source: Bleeping Computer