A token authentication error has led to the details of hundreds of thousands of BrewDog’s customers and ‘Equity for Punks’ shareholders exposed for the best part of 18 months.
According to researchers at Pen Test Partners, a fault with the way BrewDog’s mobile app handled token authentication resulted in users accessing other personally identifiable information (PII) belonging to other users.
“Every mobile app was given the same hard-coded API Bearer Token, rendering request authentication useless,” wrote the researchers.
Information exposed included; names, dates of birth, email addresses, gender, telephone numbers, as well as users’ shareholding details.
Researchers said that the details of over 200,000 shareholders “plus many more customers” were exposed for over 18 months.
“Many of the data items breached would be considered PII under GDPR definitions and as such, companies have a legal obligation to keep PII data safe and secure. Hard-coding a bearer token into a mobile application which provides authentication to download the PII data of all BrewDog customers and shareholders is not secure!”
After being informed about the exposure numerous times, BrewDog took down the vulnerable API several days later.