A popular south Asian delivery company exposed 400 million records containing customers’ personal information via a vulnerable cloud server, according to researchers.
A team from reviews site Safety Detectives found the bug during a simple IP address check on specific ports. It claimed the Elasticsearch server was left wide open with no password protection or encryption, meaning anyone with the server’s IP address could have accessed the database.
The team soon traced the leak back to Bykea, a Karachi-based vehicle-for-hire and delivery company that offers an extensive fleet of “motorbike taxis” which are bookable via smartphone app.
Bykea contacted Infosecurity to clarify that the vulnerability was in one of the firm's "backup logging nodes" and that it was promptly patched before it could be exploited.
According to Safety Detectives, the firm exposed its entire production server, including customers’ full names, phones numbers and email addresses, and drivers’ full names, phone numbers, addresses, license numbers and ID card (CNIC) details. Bykea explained that national ID data is now encrypted.
Also featured in the trove were Bykea employees’ unencrypted passwords and logins.
Other information exposed in the privacy snafu included API logs, delivery and collection location info, vehicle info, GPS coordinates and user device information.
If cyber-criminals were able to get hold of the leaked information it would have armed them with a major haul for carrying out follow-on phishing, identity theft and fraud.
“Full names, residential address details, ID documents like CNIC, online login information and location data could potentially be exploited by nefarious users to target unsuspecting people that registered with the company,” said Safety Detectives.
“Car registration and vehicle data could potentially be used to conduct insurance fraud and other heinous crimes involving stolen identities.”
With employee logins, attackers could also have attempted ransomware and other attacks against Bykea itself.