A popular hotspot finder app for Android exposed the Wi-Fi network passwords for more than two million networks.
The app, downloaded by thousands of users, allowed anyone to search for Wi-Fi networks in their nearby area. The app allows the user to upload Wi-Fi network passwords from their devices to its database for others to use.
That database of more than two million network passwords, however, was left exposed and unprotected, allowing anyone to access and download the contents in bulk.
Sanyam Jain, a security researcher and a member of the GDI Foundation, found the database and reported the findings to TechCrunch.
We spent more than two weeks trying to contact the developer, believed to be based in China, to no avail. Eventually we contacted the host, DigitalOcean, which took down the database within a day of reaching out.
“We notified the user and have taken the [server] hosting the exposed database offline,” a spokesperson told TechCrunch.
Each record contained the Wi-Fi network name, its precise geolocation, its basic service set identifier (BSSID) and network password stored in plaintext.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
Although the app developer claims the app only provides passwords for public hotspots, a review of the data showed countless home Wi-Fi networks. The exposed data didn’t include contact information for any of the Wi-Fi network owners, but the geolocation of each Wi-Fi network correlated on a map often included networks in wholly residential areas or where no discernible businesses exist.
The app doesn’t require users to obtain the permission from the network owner, exposing Wi-Fi networks to unauthorized access. With access to a network, an attacker may be able to modify router settings to point unsuspecting users to malicious websites by changing the DNS server, a vital system used to convert web addresses into the IP addresses used to locate web servers on the internet. When on a network, an attacker also can read the unencrypted traffic that goes across the wireless network, allowing them to steal passwords and secrets.
Tens of thousands of the exposed Wi-Fi passwords are for networks based in the U.S.
