Cyber Incident Victim: Covve
Date:
May 2020
Location:
United Kingdom
Summary
A popular address book application suffered a data breach exposing personal details of nearly 23 million individuals. Security researcher Troy Hunt identified the platform as the source of a publicly accessible database he had been investigating for several months prior to disclosure. The incident involved sensitive user information left unprotected in an online repository, marking one of the largest consumer data exposures discovered that year. Hunt's independent analysis ultimately traced the compromised records back to the contact management service.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Covve data breach, publicly identified in mid-May 2020, originated from a misconfigured database associated with the address book application. Security researcher Troy Hunt disclosed via Twitter on May 16 that Covve was the source of a publicly accessible database he had been investigating since February 2020. This exposure impacted approximately 23 million individuals whose personal information was stored in the compromised system. The timeline indicates the database remained unprotected for at least three months before public identification, though the exact duration of exposure remains unspecified in available reports. Hunt's revelation followed his initial discovery of the unprotected data repository earlier in the year, though no evidence suggests Covve acknowledged the incident prior to his May 16 announcement. The breach attracted media attention through coverage by The Daily Swig and subsequent republication on DataBreaches.net on May 15, one day before Hunt's definitive attribution.
Covve's status as a contact management application inherently involved storing substantial volumes of personal user data, though the specific data elements exposed were not detailed in initial disclosures. The incident's scale—affecting tens of millions—stemmed from the platform's business-focused user base whose professional contacts were aggregated within the system. Public reporting confirmed the database's accessibility but did not specify whether malicious actors accessed or exfiltrated the data before its discovery. No information regarding containment procedures, forensic investigations, or remediation efforts by Covve was available in the immediate aftermath. The primary confirmed consequence was the exposure risk for millions of individuals whose records resided in the unprotected database, with Hunt's Have I Been Pwned? service providing breach verification for affected parties. Media coverage emphasized Covve's market position as a popular productivity tool while underscoring the systemic risks of cloud-based data storage misconfigurations.