UpGuard can now report that a cloud storage repository containing personally identifiable information (PII) and device data tied to millions of phone app users, collected by the multi-device advertising app “TVSmiles”, has been secured. Among the 261 database tables present, the “core_users” table consists of over 6.6 million rows. Of the entries containing an email address, 901,000 are unique. The publicly accessible storage bucket contained a 306 GB PostgreSQL database backup with unencrypted PII matched to individual users, profiling insights about users’ interests based on quiz responses, associations to smart devices, and accounts and login details for TVSmiles’ business relationships. TVSmiles is a German company with customers and users largely located in Europe where the General Data Protection Regulation was passed in 2016 and implemented in 2018.
On May 8th, 2020 an UpGuard analyst detected the public Amazon S3 bucket, which contained successive versions of applications relevant to TVSmiles mobile phone app and one 306 gigabyte database backup file from 2017. The database backup file contained centralized information about users of the app alongside large amounts of internal system and partnership information necessary for any business participating in the modern online advertising ecosystem.
On May 13th, 2020 UpGuard notified TVSmiles and received an automatic reply confirming receipt of the notification email. When no further response arrived within the next 24 hours, UpGuard contacted PubNative, the company that had acquired the TVSmiles development team in late 2019. To his credit, the founder of TVSmiles then sent a response within a few hours thanking us for the notification and informing us the data had been secured. UpGuard followed up and confirmed to him that the data was no longer publicly accessible.
TVSmiles is a mobile phone app delivering gamified mobile advertising to users’ devices for the purpose of enhancing the TV watching experience with relevant quizzes, advertising, and other interaction. According to the description on LinkedIn, “The app combines ads, games and an extensive mobile loyalty program in a unique way. Instead of simply showing ungainly ads that aren’t adapted to mobile, TVSMILES stages ads as a trivia game and rewards users for engaging with ‘Smiles’, the official in-app currency.” The app generates revenue from advertising and it is more effectively able to get users to view those ads by framing them as games or quizzes. In a positive feedback loop, those quizzes provide information about the user’s interests that can be used to target future ads. As a mobile app, TVSmiles is also able to associate the identity, profile, and interactions of each user with their devices.
According to their LinkedIn page, TVSmiles had two million users in Germany and the U.K.. A table in this database called “user_core” contained six million rows, with many users having their “country” field marked for other territories throughout Europe, making this data consistent with being a master database for TVSmiles at the time. The user_core table contained fields for email address, fb_user, fb_access_token, first and last name, gender, date of birth, address, phone number, password, and others. Not all data points were present for all users– for example, the Facebook specific fields would likely only be present for users who had connected with their Facebook identity, and users who had authenticated via Facebook would not inherently need to create a password for the app due to the functionality of that authentication method.
Other notable tables present include “business_clients,” which lists companies relevant to the individuals listed among “business_client_users.” It is reasonable to interpret these names as business clients, who have paid to publish ads on TVSmiles or have access to insights gleaned from end-user app interaction. These business users’ hashed passwords, phone numbers, email addresses, names, and other data points were also present. Conversely, TVSmiles’ own credentials for interacting with vendors necessary to provide the TVSmiles platform, like ad exchanges, fraud detection platforms, and email communication scheduling, were also present. If this database had been located by malicious entities, prior to UpGuard discovering it and sending appropriate notification, the possibility exists that such credentials could have allowed an attacker to impersonate TVSmiles and collect additional information about arbitrary targets from those other platforms and service providers.
A larger collection of enrichment data, however, is in a table pertaining to end user devices. In addition to the six million rows in user_core, a table called “device_core” contains 7.5 million rows that appear to be tied to physical devices. These devices have unique device ids, access tokens, and mappings to the user ids of their owners. Those device ids, in turn, are then relevant to a “tracking_token” table consisting of 235 million entry rows. The rows in the tracking_token table include fields such as campaign_id, placement_id, user_payout, and challenge_id, building up a picture of the TVSmiles activity– like which ads and activities users responded to on each device– which can then be linked back to the user.
A collection of “insights” gathered from those activities were tracked as intents, interests, and other psychographic qualities. These subjects ranged from consumer goods (e.g. books, video games, furniture, and clothing) to the user’s education and more esoteric interests. Other tables further enriched the information attached to those users and devices. The "user_insights" table with 295k rows also contained data reflecting the users’ latitude and longitude, full name, and phone number. One of the administrative “views” configured for this specific database, named “full device info”, highlighted the “tracker_name,” a token value, and the nearest weather station.
UpGuard’s research on exposed data often intersects with the world of ad targeting, as this industry depends on the widespread collection and concentration of personal data. Recently UpGuard reported on an exposure by Tetrad, a consumer data firm, with detailed profiles of millions of Americans. Mobile phone apps commonly make user tracking part of the data they collect, and as the New York Times has reported, superficially “anonymous” data becomes personally identifiable at the scale collected by mobile devices. As the NYT write, “If you could see the full trove [of data collected on cell phone locations], you might never use your phone the same way again.” Portions of that data are precisely what are available to mobile ad tech companies, and what is available to the world when those data sets are exposed.