Chat app Knuddels fined €20k under GDPR regulation

The case is making the headlines, the German chat platform Knuddels.de (“Cuddles”) has been fined €20,000 for storing user passwords in plain text.

In July hackers breached the systems of the company Knuddels and leaked online its data.

In September, an unknown individual notified Knuddels that crooks published user data of roughly 8,000 members on Pastebin and much more data were leaked via Mega.nz.

Knuddels published a data breach notification and forced users into changing passwords, Knuddels also reported the incident to the Baden-Württemberg data protection authority.

The company duly notified its users and the Baden-Württemberg data protection authority.

“Hello dear ones, 
when you log into the chat, you are currently asked to change your password. 
That’s a precaution. Account data from Knuddels have been published on the internet. Although we are currently not aware of any third-party use, we have temporarily deactivated these accounts for their security.” reads a message published on the company forum.

“We are currently checking whether there is a security vulnerability on the platform. As soon as we have more information, we’ll let you know, of course. For problems and questions please contact our support at community@knuddels.de.
Please use the hint when logging in and change your password.”

According to the German Spiegel Online, hackers leaked over 800,000 email addresses and more than 1.8 million user credentials on Mega.nz.

“the company from Karlsruhe violated the obligation to ensure the security of personal data, informed the Baden-Wuerttemberg data protection commissioner Stefan Brink on Thursday in Stuttgart.” reported Spiegel Online.

“He told the company that after a hacker attack, it turned to the DPA and informed users immediately and extensively about the attack. According to the company, around 808,000 e-mail addresses and 1,872,000 pseudonyms and passwords were stolen by unknown persons and published on the Internet.”

At the time the company had verified 330,000 of the published emails. The chat platform violated GDPR regulation by storing passwords in clear text and for this reason, the regulator imposed its first penalty under the privacy regulation.

The fine is not higher because the company cooperated with the authorities.

“Due to a breach of the data security required by Art. 32 DS-GVO, the penalty office of LfDI Baden-Württemberg imposed a fine of EUR 20,000 by decision of 21.11.2018 against a Baden-Württemberg social media provider and – in constructive Collaboration with the company – ensuring significant improvements in the security of user data.” reads the Baden-Wuerttemberg data protection authority.

“By storing the passwords in clear text, the company knowingly violated its duty to ensure data security in the processing of personal data,” 

The authority’s State Commissioner for Data Protection and Freedom of Information, Stefan Brink, confirmed it avoided impose the highest possible fines, it doesn’t want bankrupting the company.

“The overall financial burden on the company was taken into account in addition to other circumstances,” the authority noted.

“The hacker attack was a real test of stress for Knuddels.” It was immediately clear that the trust of users could only be regained with transparent communication and an immediate noticeable improvement in IT security. “Knuddels is safer than ever.” declared the managing director of Knuddels GmbH & Co. KG, Holger Kujath.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – GDPR, data breach)

[adrotate banner=”5″]

[adrotate banner=”13″]