Cybersecurity specialists around the world are calling out Pi Networks, the data consumption app behind the data leaks in Vietnam, exposing the company for its lack of transparency in how it stores user data, as well as the risk the practice poses for much larger cyberattacks in the future.
Ryan Montgomery, the chief technology officer of Pentester.com, a company that specializes in simulated cyberattacks, suggested in a Friday call with Sputnik that Pi Network is not only insecurely storing massive amounts of user data, including details of their contact information, but also stockpiling the information indefinitely, despite requests to have it removed.
Montgomery warned that with the current trend of companies storing users’ personal information, a future data leak on a much larger scale is inevitable.
“If they’ve already been breached in one spot, chances are they are going to be breached again,” Montgomery emphasized, adding that the company’s initial business model may use the lingo of cryptocurrency and mining, but its alleged habit of swindling and selling user data with no real reward is essentially a “slap in the face” to the cryptocurrency community.
In a Twitter post last month, Montgomery, a well-known ethical hacker in the cyber community, posted evidence that Pi collects user contact information including names, numbers, addresses and emails and stores the data on its servers.
It was confirmed in another post earlier this week by ZenChart CEO Rick Glaser that his contact data is continuing to be stored, despite him not being an app user. In his email to Pi Network, he questions the company on its storing of his data, which Pi denies having access to.
— Rick Glaser (@RikGlaser) May 19, 2021
During the initial data leak in Vietnam, Pi Network claimed that the leak was not the fault of their company, as user information is stored through a UK-based third-party, digital-identity-consuming source called Yoti.
Yoti has not responded to any reports of the data leak, but some maintain that Pi was pinpointed in an attempt to spread misinformation aimed at trying to discredit the company’s legitimacy.
There are currently more than 6 million Pi Network apps downloaded onto both Apple and Google’s respective devices, suggesting the company is still collecting and storing user data and those of their contacts.
The Apple’s app store states that developers whose apps request access to user contact databases are banned from harvesting that information. Google’s policy maintains that developers must be transparent about their collection and use of data while maintaining its protection.
After the recent data leak, two cybersecurity specialists from Vietnam, whose github usernames are ManhNho and Cu64, performed a deep examination of Pi Network servers and found that not only was Pi’s data easily accessible from the company’s servers, but that Pi continued to store user data even after individuals deleted their account and the application.
The Pi Network pays for Know Your Company (KYC) data through a cryptocurrency known as “Pi,'' which users can mine everyday by simply logging into the app and pressing a button. Pi Network was started by Stanford graduates Nicolas Kokkalis, Chengdiao Fan and Vincent McPhillip, and initially received an $800,000 investment by selling Simple Agreement Future Equity (SAFE) instruments.
The company is currently in Phase 2 of its development, where node software is being tested before the main net launching of Pi as an exchangeable cryptocurrency. Pi currently has no real value, but users are anticipating a launch that the company maintains will happen in 2022, depending on the app's expansion.
Cryptocurrency like bitcoin use a mathematical algorithm in order to pay its users. However, Pi uses a Pi Consensus algorithm based on the Stellar Consensus Protocol stellar blockchain model, which essentially sets up user information as nodes that grow depending on the data collected and how the user behaves.
Those who agree to use the app are asked to have their contact data accessed and used, but so far the company has not been upfront about storing the data or deleting it when requested.
The idea is that Pi, like other cryptocurrency, will be free of government interference and fully decentralized. However, this drives the need for legislation and a look into ethical concerns surrounding the mining of user data, which can include information of people who are not technologically savvy.
Recent cyberattacks around the world have brought to attention questions about how much of our data is being stored, as well as the level of cybersecurity needed to ensure the protection of personal information. Last week, US President Joe Biden signed an executive order aimed at improving cybersecurity in the wake of the Colonial Pipeline cyberattack that resulted in a company shutdown and gas shortage across the US East Coast.