Social media app leaks data of 172,000 users, including location coordinates


Level 2
May 4, 2020
The CyberNews investigations team discovered an unsecured data bucket that belongs to Panion, a Swedish software company. The unprotected bucket contains more than 2.5 million user records, including full names, email addresses, genders, interests, location coordinates and last login dates, as well as selfies and document photos.

The files containing the records were left on a publicly accessible Amazon Web Services (AWS) server, allowing anyone to access and download the data.

After we contacted Amazon regarding the exposed Panion bucket, access to files containing user data was disabled.
The publicly available Panion Amazon S3 bucket contained 694,116 files, including:

  • 693,018 image files uploaded by the developers and users, including selfies and documents shared by users in either group or private chats
  • 61 CSV periodically updated files that contained what appears to be 2,596,369 user records, of which 171,855 records belonged to unique users
Aside from the user records, the bucket contained hundreds of thousands of images presumably exchanged by users of the Panion app.


Staff member
Malware Hunter
Jul 27, 2015
We found the Panion bucket on September 17 and immediately reached out to the company about the leak. However, we received no response from Panion.

On September 25, we contacted Amazon in order to close the unsecured bucket, and they disabled public access to the server.
the naked gun facepalm GIF