Feelyou hedgehog logo on left silhouette of water spout with blue drip surrounding profile silhouette on yellow background

igor kisselev/Shutterstock Feelyou/Facebook (Licensed)

Anonymous mental health app Feelyou accidentally exposed 70,000 personal emails

Anonymous posts on the app's journaling feature could be linked to users' private emails.


Mikael Thalen


Posted on Jul 18, 2022   Updated on Jul 19, 2022, 10:09 am CDT

Mental health app Feelyou patched a vulnerability this weekend that saw the email addresses of its nearly 80,000 users exposed online.

Owned by the Japan-based company bajji, Feelyou is self-described as the first journaling and social mood tracking app. It allows users to share their feelings with others either publicly or anonymously. It’s tagline is, “It’s O.K. not to be O.K.”

The app allows you to track your mood and include notes on it, which others can respond to. It says the community it fosters can help improve both people’s moods and the environment.

Up until last week, however, anyone could obtain the personal email addresses of users and link them to anonymous posts by simply accessing the app’s GraphQL application programming interface (API), which did not require any authentication to do so.

The issue was discovered by security researcher maia arson crimew and affected the app’s 77,967 users in 177 countries.

In a statement to the Daily Dot, maia stressed the importance of approaching apps that involve mental health with caution.

“What I think is important here is that we really need to think about who we trust with our (mental) health data, especially in the U.S. post-Roe v. Wade era, but also everywhere and always,” maia told the Daily Dot. “There is no way to know how well secured it is, and even seemingly anonymous posts can probably be linked to you.”

The Daily Dot, after being provided with a full list of email addresses by maia, reached out to numerous Feelyou users. A user, who claimed to be from Italy and asked to remain anonymous, admitted to using the app in the past, verifying the dataset.

After being contacted by the Daily Dot, bajji founder Noritaka Kobayashi stated that the company had confirmed that the security issue had been present since at least Jan. 25 but asserted that no evidence of an attack was found.

Users’ post history and profile information were also accessible. And although such information is technically public on the app, a malicious actor with access to the API could have scraped all the data en masse.

Kobayashi said the vulnerability was fixed over the weekend after a board meeting was held, further stressing that the app did not collect personal information such as names, addresses, birth dates, genders, phone numbers, country of origin, or credit card data.

“Since Feelyou concept is a safe place to vent honest feelings, we do not gather any personal information,” Kobayashi added. “We believe Feelyou app is secure again.”

After checking the API once again, maia confirmed that the data was no longer accessible. The company also said it intends to reach out to users to inform them of the issue.

Apps that collect health-related data have come under increased scrutiny in the wake of the Supreme Court’s ruling that abortion is not a federally protected right. Experts have warned that law enforcement could either request data from an app or buy it from a data broker in order to investigate those who may have had an abortion.

Update 9:47am CT, July 19: In a blog post and an announcement in its app on Tuesday, Feelyou informed its customers of the now-patched vulnerability.

“A technical writer contacted us on July 14, and we investigated the issue from July 14 to July 15, and completed the fix on Saturday, July 16.”

Read more of the Daily Dot’s tech and politics coverage

Nevada’s GOP secretary of state candidate follows QAnon, neo-Nazi accounts on Gab, Telegram
Court filing in Bored Apes lawsuit revives claims founders built NFT empire on Nazi ideology
EXCLUSIVE: ‘Say hi to the Donald for us’: Florida police briefed armed right-wing group before they went to Jan. 6 protest
Inside the Proud Boys’ ties to ghost gun sales
‘Judas’: Gab users are furious its founder handed over data to the FBI without a subpoena
EXCLUSIVE: Anti-vax dating site that let people advertise ‘mRNA FREE’ semen left all its user data exposed
Sign up to receive the Daily Dot’s Internet Insider newsletter for urgent news from the frontline of online.

Share this article
*First Published: Jul 18, 2022, 9:55 am CDT