"Brewer's Token Gaffe Causes Massive PII Breach"

An authentication error left the personal data of hundreds of thousands of BrewDog customers and Equity for Punks shareholders exposed for a year and a half.   Researchers at security consulting and testing company Pen Test Partners discovered the gaffe involving an API bearer token. The researchers stated that every mobile app user was given the same hard-coded API Bearer Token, rendering request authorization useless.  The researchers noted that the mistake allowed any user to access the personally identifiable information (PII) belonging to another user. Other information exposed in the incident included users’ shareholding details and bar discounts.  Researchers said that the details of over 200,000 shareholders “plus many more customers” were exposed for over 18 months.  The researchers criticized BrewDog’s handling of the cybersecurity issue, claiming that “disclosure was rather fraught.”  BrewDog declined to inform their shareholders, asked not to be named, and it took four failed fixes to resolve the problem correctly.

Infosecurity reports: "Brewer's Token Gaffe Causes Massive PII Breach"