A little-known video and text messaging app left the personal details of roughly 1.2 million users exposed on the open internet. The incident, first spotted late last year, highlights persistent failures in basic database security among smaller developers racing to build chat platforms.
Researchers at Cybernews discovered the unprotected MongoDB instance on December 3, 2025. It belonged to Deucetek, an Atlanta-area software firm behind Tokee. The database held names, phone numbers, profile pictures, device push tokens, user identifiers, account creation dates, last-seen timestamps, and status flags indicating premium accounts. Chat messages sat in the same system but appeared encrypted with password-based OpenSSL.
Yet the metadata alone tells a story. Last-seen times reveal when users open the app. Device tokens open doors to targeted notifications. Phone numbers link identities across services. Taken together, the records create a map of user behavior that attackers prize.
Tokee never gained the reach of WhatsApp or Signal. Still, it crossed one million downloads on Google Play. The breach likely touched the bulk of its audience. And it stayed open far longer than it should have. The database was not secured until January 19, 2026, more than six weeks after discovery.
“Although user chat messages stored in the same infrastructure appear to be encrypted using password-based OpenSSL encryption, the exposed personal data alone presents significant privacy, security, and regulatory risks,” the Cybernews team stated in its report.
They went further. Even encrypted conversations lose protection when surrounding context leaks. “Even when message content is encrypted, exposed metadata can reveal who communicates, when, and from where, undermining user privacy,” researchers explained. The combination erodes the very privacy messaging apps promise.
Smaller providers feel these blows hardest. Tokee now faces questions about user trust. Adoption may slow. Long-term survival sits in doubt. Larger platforms absorb similar mistakes with brand buffers and legal teams. Startups do not.
Deucetek has not issued a public statement. Cybernews contacted the company and relevant authorities before publishing. The database came down after notification. No signs point to malicious scraping or dark-web sales. But absence of evidence is not evidence of absence. Anyone could have found the exposed instance during those weeks.
The technical lapse was straightforward. No firewall. No authentication. Default MongoDB settings left the door open. Firebase Storage links inside the records confirmed the connection to Tokee’s project. Field names matched the app’s functions. There was no ambiguity about ownership.
Users should treat incoming messages with fresh skepticism. Any note claiming to come from Tokee or Deucetek deserves extra scrutiny. Phishing campaigns already experiment with leaked contact lists. Device tokens make push-based attacks simpler and more convincing.
This case echoes broader patterns. Recent incidents at other apps, including dating safety platform Tea, exposed images, IDs, and private messages in quick succession. Those breaches, covered by TechCrunch, showed how one misstep compounds when multiple databases sit unprotected. Tokee avoided exposing plaintext chats. Many others have not been so fortunate.
Regulatory exposure looms. Laws in Europe and stateside demand reasonable protection for personal data. A database left readable by the world rarely meets that standard. Fines, investigations, or class-action suits could follow, though no enforcement action has surfaced yet.
Encryption alone proves insufficient. The Cybernews researchers drove that point home. “For smaller messaging providers like Tokee, such incidents carry outsized reputational impact, potentially affecting user trust, adoption, and long-term viability. The case also reinforces that encryption alone is insufficient without proper infrastructure security,” they concluded.
Developers often prioritize speed. Features ship fast. Security reviews lag. MongoDB instances multiply across cloud projects. Configuration errors become inevitable without automated checks or mandatory audits. The Tokee incident offers a textbook example of what happens next.
Phone numbers stored as plain integers invite automated dialing attacks. Avatars hosted on Firebase allow easy profile scraping. Timestamps enable pattern analysis that infers relationships or routines. None of this data was supposed to sit in public view.
Industry watchers have grown weary of these repeats. Every year brings fresh examples of exposed databases holding millions of records. Many involve the same services: MongoDB, Elasticsearch, Firebase. Lessons exist. Adoption of those lessons moves slowly.
Tokee users can check whether their information appeared by visiting the checker tool linked in the Cybernews coverage. Changing passwords elsewhere makes sense if the same number or email appears across services. Enabling two-factor authentication adds another barrier. Basic steps, yet often overlooked.
The app remains available on both major stores. Its page makes no mention of the incident. That silence may prove costly if users learn of the exposure through news rather than direct communication.
Security teams at larger messaging companies will study this quietly. They will audit their own cloud assets for similar gaps. Some will tighten internal policies. Others will treat it as another data point in an endless stream.
But for Deucetek and its users, the damage is immediate. Trust, once lost, returns slowly. And in a crowded market, users switch platforms without hesitation when doubts surface.
The exposure closed months ago. Its effects may linger far longer.
WebProNews is an iEntry Publication