A mobile conferencing app developed for the UK's Conservative Party leaked the private details of people who registered to attend party conferences, including the details of party members and UK government officials.
The leak was discovered on Saturday afternoon, September 29, by Guardian columnist Dawn Foster who posted her findings on Twitter.
Foster discovered that anyone who wanted to attend a video conference using the Conservative Party's mobile app would only have to register using an email address.
The app didn't use any type of authentication mechanisms, such as passwords or one-time codes sent via email. A user only needed to type an email address into the app's login field to access a profile page.
Also: GDPR: What's really changed so far?[1]
It didn't take long after Foster's revelations for Twitter users to realize that they only needed to guess a Conservative Party members' email address to access his or her account.
Some party members used official party or government-issued email addresses to register for the app, such as Michael Gove (UK's Secretary of State for Environment, Food and Rural Affairs) and Boris Johnson (Secretary of State for Foreign and Commonwealth Affairs), two leading figures of the Conservative Party.
Miscreants abused the app's faulty login system to either share user personal details online or change profile details.
For example, a user accessed Boris Johnson's account and changed the profile picture to a pornographic image, while another changed Michael Gove's profile image to a photo of Rupert Murdoch, his previous employer.
Some phone numbers and email addresses for high-profile British Members of Parliament (MPs) were shared on Twitter earlier today. Some received prank calls and messages.
In a statement on its website, the Information Commissioner's Office (ICO), the UK's privacy watchdog,