This post is also available in:
עברית (Hebrew)
A mobile application designed to help iPhone users manage insomnia has been found exposing sensitive user data, raising serious privacy and cybersecurity concerns. Researchers from Cybernews revealed that Sleep Journey: Insomnia Helper, an iOS app designed to improve sleep quality, left more than 25,000 users’ personal and health-related data publicly accessible due to a misconfigured backend.
The exposed data included full names, email addresses, birth dates, gender, sleep patterns, and information on alcohol, nicotine, and medication use. Activities performed before sleep and other behavioral details were also part of the leak. The data was stored on an improperly secured Firebase server—a cloud-based database platform widely used by mobile apps.
In addition to leaking user information, the app also revealed its own internal development secrets in the client-side code. These included API keys, database URLs, Google App IDs, and project IDs—details that could be exploited by attackers to access back-end services, impersonate the app, or run operations at the expense of the app’s operator.
The exposure of both personal and behavioral data from the app significantly increases the risk of targeted cyberattacks. With access to names, email addresses, birth dates, and detailed health-related information, malicious actors could craft highly convincing phishing emails or social engineering campaigns. For example, attackers could impersonate healthcare providers or app support teams, referencing specific user habits to gain trust and extract further information or credentials. The availability of these details, combined with leaked app secrets like API keys and database URLs, creates a dangerous opportunity for credential stuffing, spam, and even identity theft, especially if reused passwords or email addresses are linked to other online accounts.
The case of Sleep Journey underscores the importance of robust security configurations, especially in apps that collect sensitive health data. While designed to enhance well-being, such tools can easily become a privacy liability when basic protections are overlooked.
