The Cybernews research team found that video call app Huddle01 exposed email addresses, real names, and other identifiers through an unprotected Kafka broker.
Think of an unprotected Kafka broker like a post office that stores and delivers confidential mail. Now, imagine the manager leaves the front doors wide open, with no locks, guards, or ID checks. Anyone can walk in, look through private letters and photos, and grab whatever catches their eye.
Huddle01 is a video call app that focuses on decentralized Web Real-Time Communication (WebRTC). WebRTC is appealing because it lets people talk and share data directly between devices without using a central server. Done right, this can reduce latency, cut costs, and improve privacy.
But leaving your Kafka broker open to anyone who happens to stumble upon it does not qualify as “doing privacy right.” The Kafka broker operated without authentication or encryption, meaning anyone could listen in, collect logs, or potentially alter data if write access existed. This demonstrates a fundamental misconfiguration that puts both users and the platform at risk.
The Kafka instance contained over 621,000 log entries from the last 13 days, belonging to Huddle01, including:
- Usernames (sometimes real names)
- Email addresses
- Crypto wallet addresses (Huddle01 supports many wallets across blockchains like Bitcoin and Ethereum)
- Detailed activity data, such as which users joined specific calls, participants in each call, country, time, date, and duration
- Other identifiers
The app is popular among cryptocurrency users, but in this case the open Kafka instance could have deanonymized their wallets by tying their crypto wallets to usernames and email addresses. Which also paints a target on their back as potentially high-value targets.
It also makes users more vulnerable to social engineering since attackers can craft credible emails or messages using real names and meeting data.
And hold on for the worst part. Cybernews states it responsibly disclosed the data leak to the company behind Huddle01…
“However, it did not respond to the initial disclosure and subsequent attempts. After one month, the exposed server remained accessible. It’s unclear how many other third parties might have accessed the data.”
Security tips for affected users
Knowing that the exposed information goes back about two weeks doesn’t help much, since anyone with access could have set up a data collector, listening in on the real-time data streaming and processing going on.
So, any Huddle01 users should:
- Change passwords on accounts linked to the exposed email or username, and use strong, unique passwords for each site.
- Set up two-factor authentication (2FA) wherever possible to prevent unauthorized access.
- Monitor inboxes for suspicious messages. Be extra cautious of emails or texts asking for crypto transactions or sensitive information, as targeted phishing is a possibility. Be especially wary of social engineering attempts that reference details from meeting logs, such as who you spoke to or when meetings occurred.
- Stay updated on official statements from Huddle01 or news coverage, as they may release more guidance later.
Pro tip: Did you know that you can submit suspicious messages like these to Malwarebytes Scam Guard, which instantly flags known scams?
We don’t just report on scams—we help detect them
Cybersecurity risks should never spread beyond a headline. If something looks dodgy to you, check if it’s a scam using Malwarebytes Scam Guard, a feature of our mobile protection products. Submit a screenshot, paste suspicious content, or share a text or phone number, and we’ll tell you if it’s a scam or legit. Download Malwarebytes Mobile Security for iOS or Android and try it today!
