Unprotected server exposes Huddle01 user data, including emails and crypto wallet addresses

A server linked to Huddle01, a video meetings app built on a decentralized communication platform, has been found leaking sensitive user data, raising serious privacy concerns for thousands of crypto users worldwide.

Researchers from Cybernews discovered an unsecured instance of Kafka Broker, a distributed event-streaming platform, that was transmitting real-time logs from Huddle01’s video conferencing service without any form of authentication, encryption, or access control. The exposed server contained over 621,000 log entries from a 13-day period, revealing usernames, email addresses, crypto wallet identifiers, and detailed call activity data.

The logs, attributed to Graphene01 Labs, the Delaware-based developer of Huddle01, contained information that could identify when and where users joined meetings, their IP addresses, and which wallets were connected to specific accounts. Huddle01’s app listings claim that no user data is collected or shared with third parties and promote the service as a secure platform for online meetings.

“Huddle01 Meet makes your video meetings and audio calls more secure and efficient,” the app’s description states. Yet Cybernews researchers said the exposed data could easily be accessed by anyone on the internet. “There is a level of irony that a platform advocating for decentralization and privacy puts name tags on crypto wallets, as well as contact details and other metadata,” they said.

The research team warned that combining personally identifiable information with crypto wallet addresses could make users vulnerable to phishing campaigns, relationship mapping, and targeted scams. “A malicious actor could leave a ‘collector’ listening to the insecure Kafka broker for potentially months to obtain more behavioral data,” the researchers added.

Despite multiple responsible disclosure attempts, Huddle01 did not respond to Cybernews for over a month, and the exposed server remained publicly accessible at the time of writing. It is unclear whether unauthorized parties have already accessed or harvested the data.

Kafka Broker systems are typically used for real-time data streaming but are not designed to store sensitive personal information without additional security layers. Without proper authentication, encryption, and IP whitelisting, anyone could connect to the exposed instance and view user activity in real time.

Huddle01, which promotes itself as a decentralized Web Real-Time Communication (WebRTC) platform for cross-chain wallet users, has more than 50,000 downloads on Google Play and an average rating of 4.7 stars on Apple’s App Store. The company’s whitepaper outlines its goal of building a decentralized communication network, but the discovery suggests that key elements of its infrastructure still rely on centralized systems.