Key Ring, an app that lets people upload and store card details, has left the information of millions of users exposed, according to researchers at vpnMentor.
Key Ring claims 14 million North Americas have used its app to upload scans and photos of cards to digital folders that they can access as needed.
The firm stresses that its app is designed for membership and loyalty cards but, according to vpnMentor, users have been storing copies of government IDs, driver licenses and even credit cards - including CVV numbers.
All of these uploads - some 44 million images - have been exposed because of misconfigured Amazon Web Services S3 buckets, making the information publicly accessible to anyone with a web browser, say the researchers.
Key Ring secured the buckets after being informed of the issue, says vpnMentor, but it is not known how long the information was exposed and hackers could have taken it and stored it locally, offline.
Key Ring recently stopped operating in Europe, blaming the requirements of the EU's new General Data Protection Regulation (GDPR).
The firm has not replied to requests for comment.