Clinkle, the well-funded mobile payments startup staffed by former executives of PayPal, Netflix and other e-commerce companies, appears to have had data leaked from its person-to-person payments app, exposing personal information and photos of some of the company's employees.
An anonymous user posted 33 names, phone numbers, photos, and user IDs on the software code sharing website Pastebin, claiming it was taken from a Clinkle application program interface that does not require authentication, TechCrunch reports. The API purportedly facilitates an autocomplete feature called "typeahead" in Clinkle's iOS and Android mobile apps.
Clinkle alleges Andrew Aude, a computer science student at Stanford University, is responsible for exposing the user data, and was also the person who "entered our system in September and exposed our screen shots," spokesperson Ana Braskamp said in an email.
"We were able to trace his API activity back to his Stanford email address through session data," Braskamp added in a follow-up email.
In a phone interview with PaymentsSource, Aude acknowledges that his jailbroken iPhone was used to access the Clinkle app, but said he did not access the user data and screen shots, nor did he post it online.
"Six months ago, I had signed up for the [Clinkle] wait list and it left my email address linked to my phone hardware identifier," he says. "It's all too convenient when they look at my email and name and everything to point the finger at me when I didn't actually do it."
Aude says he lent his iPhone to a group of four students and one of them exposed the user data and screen shots.
"Anyone can just start looking throughout the whole innards of this thing and start leaking it on their own," he says. "It doesn't take a massive, orchestrated attack or hack-type thing in order to produce the same results. Someone just tinkering around figured it out in like 10 minutes."
The Clinkle app is available for download, but has a wait list that prevents people from using it. Aude said the data was accessed by disabling the wait list.
"It's protected by this wait list, but you just change two bytes of data within the app and the whole thing just opens up," he said, adding later, "You could also make the API request without even ever running the app, from a computer."
Clinkle maintains that it was not hacked and that the exposure was limited to test data.
"TechCrunch/PasteBin are describing visibility that was purposefully built into the system as part of our preliminary user testing and was always intended to be turned off. We were using an open API, which has now been closed," Braskamp said via email. "As you can see from the list, we've been testing internally and registrations have been limited to Clinkle employees."