An internal database holding user personal information, including information on children was made publicly available on the internet for months by the new Indian social media app Slick. A database of Slick users’ full names, phone numbers, dates of birth, and profile images has been available online without a password at least since December 11.

Bengaluru-based Former Unacademy executive Archit Nanda established Slick in November 2022 after switching from cryptocurrency and shutting down his old business CoinMint. His most recent project, Slick, is available for both Android and iOS users and functions similarly to the well-known American compliments-based software Gas. Students in high school and college can communicate with and discuss their friends in private using the app.

Anurag Sen, a security researcher with CloudDefense.ai, discovered the unsecured database and requested TechCrunch for assistance in alerting the social media firm to the problem. Shortly following Friday’s contact from TechCrunch, Slick secured the database.

A configuration error allowed anyone who knew the database’s IP address to access the data, which at the time it was secured contained records for more than 153,000 people.

The researcher also alerted CERT-In, India’s top cybersecurity agency, which is also known as the country’s computer emergency response team.

TechCrunch received confirmation from Nanda that Slick addressed the exposure. If anyone other than Sen discovered the database before it was secured, it is unknown.

Soon after its release in India last year, Slick garnered a large number of younger users. Nanda announced on Twitter earlier this month that the app had surpassed 100,000 downloads.