Site navigation

Bad App Configuration Causes BrewDog Data Leak of 200k People

David Paul


brewdog data leak
A new report from PenTestPartners found the leak involving hard coded API Bearer Tokens given to every shareholder and user of the company’s mobile app.

The data of more than 200,000 of  BrewDog’s ‘Equity for Punks’ shareholders and customers has been available on their app over the last 18 months, according to a new report from PenTestPartners.

BrewDog’s security issue was supposedly caused by the tokens not being transmitted following a successful user authentication event. This gave users the ability to access any other user’s PII, shareholding and bar discount on the community platform.

Other details leaked through the flaw included dates of birth, email addresses, user gender, telephone numbers and home addresses.

Through the exploit, someone could also generate QR codes through the visible accounts and get discounts and free beer.

PenTestPartners said that the vulnerability now appears to have been fixed, but so far BrewDog “have not alerted their customers and shareholders that their personal details were left unprotected on the internet”.


Commenting on a data leak of this nature, Niamh Muldoon, Global Data Protection Officer at OneLogin said: “Business leaders who do not understand that trust and security is a true business differentiator are likely to see an impact on their brand and business over the next couple of years if they haven’t already experienced it.

“By 2023, 65% of the world’s population will have their personal data covered under modern privacy regulations, up from 10% in 2020. This problem must be addressed at every level of an organization, including boardroom and executive management teams.

“There is a slight increase in Trust and Security expertise sitting at executive management and boardroom levels, but this is inconsistent across all industries and businesses. If a lack of representation at these levels continues it will impact the trust and brand reputation associated with an organisation.”

Muldoon continued: “Business leaders need to think of the operational controls that can be executed as part of the day-to-day operations to protect data and systems, as well as how they can use these control sets to create a high-performing team working with security and privacy organizations.”

In a statement, a spokesperson for BrewDog said: “We were recently informed of a vulnerability in one of our apps by a third-party technical security services firm, following which we immediately took the app down and resolved the issue.

“We have not identified any other instances of access via this route or personal data having been impacted in any way. There was therefore no requirement to notify users.

“We are grateful to the third party technical security services firm for alerting us to this vulnerability. We are totally committed to ensuring the security of our user’s privacy.”

Get the latest news from DIGIT direct to your inbox

Our newsletter covers the latest technology and IT news from Scotland and beyond, as well as in-depth features and exclusive interviews with leading figures and rising stars.

We will keep you up to date on the pivotal issues impacting the sector and let you know about key upcoming events to ensure that you don’t miss out on what’s going on across the Scottish tech community.

Click here to subscribe.

David Paul

Staff Writer, DIGIT

Latest News

%d bloggers like this: