Meditation app ‘7 Minute Chi’ exposes over 100,000 user records due to Firebase misconfiguration

A popular iPhone app designed to promote mindfulness and relaxation has inadvertently exposed the personal data of thousands of users, according to findings by the Cybernews research team. The iOS application, 7 Minute Chi – Meditate & Move, was found to have a misconfigured Firebase instance that publicly revealed sensitive customer information, including names and email addresses.

The breach affects a product meant to foster calm and well-being, creating a stark contrast between its intended purpose and the anxiety it now causes over data privacy. While Apple does not disclose exact download numbers, third-party estimates suggest the app may have been installed more than 22,000 times. However, the scope of the data leak is significantly larger. Researchers discovered over 100,000 user records exposed, a number that could be just a fraction of the total if the temporary Firebase database stored and rotated more data over time.

Cybernews researchers warned that improperly secured Firebase databases are a known target for threat actors. Such attackers can deploy scrapers—automated tools that continuously extract new data from vulnerable endpoints. This opens the door to phishing attacks and spam campaigns aimed at unsuspecting users.

“The data leaked from the app was sensitive as it may allow threat actors to obtain app users’ email addresses and launch spam or phishing campaigns against them,” the research team said.

In addition to user data, the app’s client-side code revealed a troubling array of embedded app secrets, including API keys, database URLs, Google App IDs, and Facebook App IDs. These plaintext credentials, if exploited, could allow unauthorized access to app services, manipulate user data, or even incur charges to legitimate users by abusing third-party integrations.

Cybernews has reached out to the company behind 7 Minute Chi – Meditate & Move for comment. As of publication, no response has been received. This incident forms part of a broader trend identified by Cybernews in a large-scale investigation into iOS app security. Researchers analyzed 156,000 iOS apps—roughly 8% of the Apple App Store’s catalog—and found that 71% of them contained at least one exposed secret in their source code. On average, each app revealed over five sensitive credentials.

The investigation also uncovered vulnerabilities in other iOS apps, including those serving BDSM, LGBTQ+, and sugar dating communities. In some cases, private images and conversations were left unprotected. Apps marketed for family tracking or confidential communications were similarly found leaking troves of sensitive data.