- "기밀 VM의 빈틈을 메운다" 마이크로소프트의 오픈소스 파라바이저 '오픈HCL'란?
- The best early Black Friday AirPods deals: Shop early deals
- The 19 best Black Friday headphone deals 2024: Early sales live now
- I tested the iPad Mini 7 for a week, and its the ultraportable tablet to beat at $100 off
- The best Black Friday deals 2024: Early sales live now
Delivery Biz Exposes 400 Million Records in Privacy Snafu
A popular south Asian delivery company exposed 400 million records containing customers’ personal information after misconfiguring an Elasticsearch server, according to researchers.
A team from reviews site Safety Detectives found the 200GB trove during a simple IP address check on specific ports. It was left wide open with no password protection or encryption, meaning anyone with the server’s IP address could have accessed the database.
The team soon traced the leak back to Bykea, a Karachi-based vehicle-for-hire and delivery company that offers an extensive fleet of “motorbike taxis” which are bookable via smartphone app.
According to Safety Detectives, the firm exposed its entire production server, including customers’ full names, phones numbers and email addresses, and drivers’ full names, phone numbers, addresses, license numbers and ID card (CNIC) details.
Also featured in the trove were Bykea employees’ unencrypted passwords and logins.
Other information exposed in the privacy snafu included API logs, delivery and collection location info, vehicle info, GPS coordinates and user device information.
The firm secured the server within 24 hours of being notified, on November 24.
If cyber-criminals were able to get hold of the leaked information it would have armed them with a major haul for carrying out follow-on phishing, identity theft and fraud.
“Full names, residential address details, ID documents like CNIC, online login information and location data could potentially be exploited by nefarious users to target unsuspecting people that registered with the company,” said Safety Detectives.
“Car registration and vehicle data could potentially be used to conduct insurance fraud and other heinous crimes involving stolen identities.”
With employee logins, attackers could also have attempted ransomware and other attacks against Bykea itself.