Why Was Clinkle Hacked Before It Even Launched?

Clinkle is one of the most mysterious and overwhelmingly funded new payment processing apps expected to hit the market in 2014, but it isn’t yet available on the market. That being said, there was a recent hack to their “placeholder” app that will inform people on the waiting list to try it out once it’s released and is available for download. Though they aren’t actively providing services to any customers yet, Clinkle is apparently still collecting information such as names, address, phone numbers, and credit card numbers from customers that are ready to go as soon as the app becomes live ahead of time.This left the up-and-coming app extremely vulnerable to an attack that was successfully accomplished recently because they never expected that anyone would try at this stage of development. The hack was verified because a list of 33 usernames, phone s numbers, and profile pictures were leaked to a website named Paste Bin, but was fairly quickly taken down by the site’s administrators once they realized what it was. This isn’t the first time that their website was used to leak this type of information, so they were quick to correct the problem.

Nobody was safe from this data violation, not even Clinkle’s founder Lucas Duplan. That’s right, everyone on the testing and development staff that had their information entered in the database was exposed on the list, which proves how deep and aggressive this hack was. Others on the list include former Netflix CFO and now Clinkle COO Barry McCarthy and former PayPal exec Mike Liberatore who is now the Clinkle CFO.

The path of the hack seems to stem from the API that Clinkle has in place but isn’t thoroughly tested or locked down. The quote from the hacker is as follows:

Results from Clinkle typeahead API. It requires no authentication. The app stores writes results to disk automatically. This is much worse than Snapchat’s breach. Phone numbers masked as courtesy.

Essentially, this means that the hacker was able to access all this data on one of Clinkle’s servers without any user ID or other credentials because the data was completely free of any required authentication. Though this is clearly a more vulnerable design than Snapchat’s, it isn’t really as bad because it was a list of 33 test accounts that were exposed instead of 4.6 million of Snapchat’s user’s data. That being said, it is still some poor craftsmanship for a company with $30 million in private funding in the opinion of many high-end programmers.