Jain discovered an unprotected database online associated with the app that contained more than two million network passwords.
He reported his findings to Zack Whittaker of TechCrunch, and the two of them spent more than two weeks trying to contact the Chinese-based developer to no avail. When that effort failed, they contacted DigitalOcean, the company hosting the database, and they promptly pulled it offline.
As to the app itself, WiFi Finder is very good at what it does, and it does what the name suggests. It searches for WiFi hotspots and maps them, giving users the ability to upload all their stored WiFi passwords.
Unfortunately, the app isn’t picky. It makes no distinction between public and private hotspots. If your neighbor has an unprotected router, it’ll show up on the list.
According to statistics obtained from Google, WiFi Finder has been downloaded more than 100,000 times. Given how many WiFi hotspots there are all over the world, each user is bound to have a dozen or more mapped by the app, which translates into a lot of hotspots in the database, considering the size of the database Jain found.
If there’s a bright spot to be found in the incident, the database did not include contact information for the WiFi owners. However, it did contain geolocation data, and of course, if you saved your passwords in the app, then that was included as well.
If you’re currently using the app, to be safe, you should probably delete it and find a better option. Then change your Wi-Fi passwords, as there’s no telling who may now have access.