Thousands of users downloaded a popular hotspot finder app for Android that recently leaked over two million Wi-Fi network passwords, according to TechCrunch. The app developers are believed to be based in China. Here’s what happened:

The popular hotspot app allowed any user to search for nearby Wi-Fi networks.  Then, users could upload passwords from their devices to the app database for others to use. The database, which held more than two million network passwords, was left exposed and unprotected. The result? Anyone could access and download its contents, including:

• Wi-Fi network name
• Precise geolocation
• BSSID (stands for Basic Service Set Identifier, which is a section of a wireless network)
• Network password stored in plain text (not code)

In other words, potential to expose a lot of personal information. Not good.

How the Leak Was Discovered

A security researcher and a member of the GDI Foundation discovered the database and contacted the host, DigitalOcean, which took down the database within a day of being notified. The app’s developer made claim to the app only providing passwords to public hotspots, however, its data showed many home Wi-Fi networks. Fortunately, none of these home Wi-Fi network owners had their contact information exposed.

Why This is Important

This app didn’t require users to obtain the permission from the network owner to access it, which exposed the Wi-Fi networks to unauthorized access. Unauthorized access is a major issue. For example, it could allow attackers to modify router settings to point unsuspecting users to malicious websites. Attackers do this by changing the DNS server, an action that converts web addresses into the IP addresses used to locate web servers on the internet.

If attackers get onto a network, they can also read the unencrypted traffic that goes across the specific Wi-Fi network. Knowing this information allows them to then steal passwords and other personal information.

The takeaway is to always make sure that your home Wi-Fi network is protected and requires an authorized access request to connect. Also, to never share your password in any public domain.