Was my app DB hacked?

#SOLVED, partially. We realized that it was partly due to a vulnerability in some tables, which we are working to resolve.

I would like to thank everyone who made several important points for their attention.
Mainly to @chris.williamson1996
//////// From here on it was not edited.
My Bubble database was INVADED, where the person managed to get any data they wanted. Mainly my clients’ EMAIL and PASSWORD.
Below I will put the print of the conversation on WhatsApp where she gave me this information and told me, in part, how she achieved this.
How can Bubble’s DB be insecure like this?
I’m already working to migrate my DB and backend to Xano and Supabase, to avoid these types of risks.
I want to know what the Bubble company is going to do about this!

This print below shows when the person spoke to me:

Here it shows that she sent me the email and password of 6 users on my system:

Here’s the rest of the conversation:


Has anyone else gone through this?

1 Like

Oh dear. This thread is going to get a lot of comments - but let me be first and kind about it. :slight_smile:

Without something called privacy rules that you control and manage (not Bubble) your Bubble data is typically and can be public. Read this carefully before freaking out even more Protecting data with privacy rules | Bubble Docs

Also google Flusk.eu - for tools to let you do your own application penetration tests.

Having said all of that though - they claim to also have got the password … so this doesn’t seem like privacy rules issue to me but I won’t speculate :slight_smile: Contact support@bubble.io and look for advice from them.

It will be interesting to see how this evolves.

6 Likes

Hmmm, I am wondering whether this is a scam sales technique to get you thinking you have been hacked?

Can they do a SQL Injection on an obfuscated database?

As lindsay has also suggested check your privacy settings etc.

2 Likes

Someone with more knowledge might be able to comment more specifics on this, but I am curious if you tried the Email and Password combinations to see if they worked for logging in?

I am starting with the assumption it’s not that easy to pull out passwords from Bubble, so I am thinking they may have found the User Emails due to weak privacy rules and then are claiming to know passwords since you cannot view them in the database to scare you. Then they will ask for money (the pen test).

If those are legitimate passwords for those email addresses, are those email addresses legitimate users or were they created by the individual themself? (So then they obviously know the passwords)

If both the Users and Passwords are legitimate then I would contact Bubble directly

5 Likes

Exactly what I am thinking. I think they may have got those user credentials from another source. And they are spoofing you with teh data to get your worried and then charge you $1500 to “solve” the problem.

Call me cynical, but I think it is scam.

2 Likes

Privacy rules are defined in the system for the user table. Now which privacy rule gives access to users’ passwords? Because whoever broke into the system to show the vulnerabilities gave us the users’ email and PASSWORD, which I validated by entering the account with that email and password and it worked, to my surprise.

1 Like

Do you store the password in your database at all? Have you confirmed that those are all unique users and not users the bad actor have made?

To retrieve passwords, unless you store them in any way, would mean bubbles auth system is vulnerable which seems unlikely.

3 Likes

Thanks for the suggestions. I’ll check both.

Very good point @chris.williamson1996 that would be very sneaky

5 Likes

Hello. Yes, users and emails are legitimate. I have tested most of them.
And what worries me most is that they extracted the passwords.

É possivel que seja isso também. Vou averiguar mais.

Another thing to check is if you these passwords are things a user would’ve created (ex: cats123) or if they are something that look generated.

If generated then do you have backend workflows with exposed password reset flows exposing tokens anywhere.

Bubble does hold very strong compliance, to dump your database which is all encrypted at rest on bubbles side then to brute force through it all would require an absurd amount of time unless you’re app is very large scale it’s incredibly unlikely.

My assumption is the passwords is some form of smoke and mirrors to convince OR your app has a vulnerability due to your own development either in backend that’s set to ignore privacy rules, bad data practice like storing passwords, or privacy rules that were not setup correctly.

Yeah… that definitely looks like scam message (they’re fairly common)

And whilst, if your privacy rules are not up to much, it’s possible for data like email addresses to be found in your database, user’s raw passwords are not stored in the database at all (unless you’re manually storing them) - rather a hashed version of them is, so it should be virtually impossible for the original password to be extracted.

So, if they genuinely do have your User’s passwords, it’s highly unlikely they’re getting them from your database.

If I were you I’d change those 6 User’s passwords, then ask this guy to send you the passwords again for the same 6 Users, to prove what he’s saying.

If they can send you the newly changed passwords, then you know they must be able to extract them from your database (virtually impossible).

If not then you’ll know they’re talking nonsense (which would be my guess), at the very least in terms of how they’re accessing the passwords. My guess would be that you won’t hear back from them at all.

Although it would be very interesting (and worrying) if they were able to provide them.

7 Likes

Could that person have created himself a few fake users and sent you the credentials he himself set?

6 Likes

Another possibility is that those users have the same password on another website which has been leaked. Perhaps try running them through a password leak checker such as https://haveibeenpwned.com/, and if you get the passwords, its likely he just took them from that site instead of your database.

6 Likes

Hello. This was the only privacy rule that was weak. The others in the User table are all defined by access level and a User can only search for other users who are in the same company.

The password reset was being sent by the frontend, but I now put it through the backend.

BUT nothing explains how they gained access to the PASSWORDS. They are different users, from different companies in different regions of Brazil.

1 Like

What does your dataAPI look like? If you DM me your bubble app name I’ll run a quick audit on it for you. (Just DM me)

1 Like

thank you all for jumping into this issue and trying to help. Awesome to see.

@cotadorsimplificado maybe the users are reusing passwords that were compromised elsewhere? It’s very hard to know without troubleshooting and investigating your app. Like Lindsey said above, you should connect with support and they can look into all of this with you

Edit: the amount of info they were willing to share via whatsapp along with how generic it is really screams scam here

4 Likes

Scam… nothing wrong with Bubble in this scenario.

If you don’t store passwords in a text field, the accounts were created by the same user, and you’ll know that because they were created at similar times.

The amount of ‘weak cipher’ spam emails I get is a huge pain in the ass but scams like this are all over. All they do is look for sites built with a certain tool (e.g Bubble) then contact the admin.

Serious researchers certainly don’t disclose by WhatsApp!

6 Likes

Oh, also looks like all the emails are hotmail addresses. Coincidence? Probably not. Hotmail (anecdotally) is less ‘trustworthy’ than Gmail etc.

2 Likes