Rallyhood puts users’ private data at risk

Rallyhood, a social network designed for helping people communicate and coordinate their work, left their users’ private data exposed for a period of time.

It turns out that one of its cloud storage buckets hosted on Amazon Web Services (AWS) had no password protection in place.

Worse yet, anyone able to guess its URL location could access Rallyhood users’ sensitive data.

The network hosts various groups, including local bands, sports teams, organising committees and art clubs.

Furthermore, the following organisations call Rallyhood their home: Habitat for Humanities, Komen, YMCA, Girl Scouts and Boy Scouts.

The problematic bucket contained group data ranging all the way from 2011 to last month.

Size-wise, this amounts to 4.1 terabytes of uploaded files sourced from millions of users.

The most problematic types of data being leaked this way can be lumped into the following categories: contracts, password lists, permission slips and agreements.

In addition to that, non-disclosure agreements and other sensitive files were also leaked to the public.

At the present time, the bucket’s contents are no longer exposed.

This is thanks to the efforts of a cyber security researcher going by the handle Timeless, who did not delay reporting their findings so that they could be patched up as soon as possible.

Chris Alderson, chief technology officer at Rallyhood, initially claimed that the bucket was set up for the purposes of testing and that the bucket itself was highly secured.

At a later point, he admitted that file permissions were mistakenly left open for everyone to access for a brief period of time.

The manner in which Rallyhood is planning to notify its users, if at all, is still unknown.

At the time of writing, no website or social media entries regarding the incident have been made.