Brewer’s Token Gaffe Causes Massive PII Breach
An authentication error left the personal data of hundreds of thousands of BrewDog customers and Equity for Punks shareholders exposed for a year and a half.
The gaffe involving an API bearer token was discovered by researchers at security consulting and testing company Pen Test Partners.
"Every mobile app user was given the same hard-coded API Bearer Token, rendering request authorization useless," wrote the researchers in a blog post published today.
The mistake allowed any user to access the personal identifiable information (PII) belonging to another user. Other information exposed in the incident included users' shareholding details and bar discount.
Researchers said that the details of over 200,000 shareholders "plus many more customers" were exposed "for over 18 months."
The token error left BrewDog vulnerable to theft, according to researchers, who noted that shareholders can claim a free beer in the three days before or after their birthday under the terms of the Equity for Punks scheme.
"One would simply access an account with the required date of birth, generate the QR code and the beers are on BrewDog!" wrote the researchers.
Pen Test Partners has criticized BrewDog's handling of the cybersecurity