A well-known south Asian shipping and delivery corporation exposed 400 million records made up of customers’ particular information following misconfiguring an Elasticsearch server, according to researchers.
A staff from opinions website Safety Detectives observed the 200GB trove during a simple IP handle verify on particular ports. It was still left large open up with no password protection or encryption, meaning anyone with the server’s IP tackle could have accessed the database.
The crew quickly traced the leak again to Bykea, a Karachi-based auto-for-use and supply enterprise that offers an substantial fleet of “motorbike taxis” which are bookable by way of smartphone application.
According to Security Detectives, the agency exposed its full production server, together with customers’ comprehensive names, phones quantities and email addresses, and drivers’ whole names, phone numbers, addresses, license quantities and ID card (CNIC) particulars.
Also showcased in the trove ended up Bykea employees’ unencrypted passwords and logins.
Other information exposed in the privacy snafu bundled API logs, shipping and selection place data, auto info, GPS coordinates and person gadget information and facts.
The firm secured the server in just 24 hrs of getting notified, on November 24.
If cyber-criminals were being ready to get keep of the leaked info it would have armed them with a main haul for carrying out stick to-on phishing, id theft and fraud.
“Full names, household deal with facts, ID documents like CNIC, on the net login details and spot data could most likely be exploited by nefarious users to concentrate on unsuspecting people today that registered with the firm,” said Protection Detectives.
“Car registration and motor vehicle facts could most likely be used to carry out insurance coverage fraud and other heinous crimes involving stolen identities.”
With employee logins, attackers could also have attempted ransomware and other attacks against Bykea by itself.
Some parts of this posting are sourced from: