This post may contain affiliate links, please read our affiliate disclosure to learn more.
Third-Party Music Converter Used by Spotify, Audible, and Apple Music Exposed User Data

Third-Party Music Converter Used by Spotify, Audible, and Apple Music Exposed User Data

 By Charles Joseph | Cybersecurity Researcher
 Published on January 1st, 2024
This post was updated on January 2nd, 2024

Are you aware of the potential risks of using music streaming services? TuneFab, a music converter service from Hong Kong, recently encountered a critical security issue. Due to a misconfiguration, it accidentally exposed its users’ private data.

TuneFab, known for converting copyrighted music from multiple renowned streaming platforms like Spotify, Amazon’s Audible, Apple Music, etc., into various other formats, is now in the limelight for unfortunate reasons.

NordVPN 67% off + 3-month VPN coupon

Stay One Step Ahead of Cyber Threats

Want to Be the Smartest Guy in the Room? Get the Latest Cybersecurity News and Insights.
We respect your privacy and you can unsubscribe anytime.

An overwhelming number of approximately 151 million parsed records comprising 280GB of data were left unprotected—a fact unearthed by cybersecurity researcher Bob Diachenko, who discovered this mishap on September 26th, 2023. These exposed details comprise IP addresses, user IDs, emails, device information, and more—all sensitive attributes capable of being exploited by malicious actors online.

This breach was not a result of some sophisticated cyber attack but rather due to mismanagement on MongoDB—a document-oriented database platform—which was improperly configured and thus left all TubeFab’s stored data out in the open for public access.

MongoDB can be equated as an online version of archival software that lets organizations store their data digitally securely; however, should it be wrongly set up or left ‘unlocked,’ so to speak—it lays bare all underlying precious and confidential resources—as witnessed disastrously with Tonefab’s recent debacle.

Despite actions being triggered within a day after this finding by Diachenko—TubeFab has unfortunately not yet responded formally to queries regarding any remedial measures implemented following their digital oversight.

This incident brings much-needed attention to the importance of individual privacy online and how application developers need to take extra precautions to handle customer data securely. It will be interesting to see whether TuneFab faces repercussions from regulatory bodies for this breach.

"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional
Scroll to Top