Pakistani parcel delivery company Bykea recently exposed hundreds of millions of personal data records by failing to secure its production server that stored personally-identifiable information of customers and delivery partners.
Bykea is a five-year-old parcel delivery firm operating out of Karachi, Rawalpindi and Lahore which offers transportation, logistics and cash on delivery services to millions of residents in the three cities. Tens of millions of Pakistanis rely on the company for vehicle-for-hire services and book their orders via Apple and Android apps.
In mid-November, security researchers at Safety Detectives discovered an Elasticsearch server belonging to Bykea when conducting IP address checks on specific ports. The server was completely accessible and was found storing more than 200GB of information- including the personal details of customers and drivers, internal API logs, and details of invoices.
In all, the researchers counted over 400 million data records in the server, none of which was encrypted. The exposed records included customers' full names, phone numbers, and email addresses as well as drivers' full names, addresses, phone numbers, driver licence numbers with expiry dates, and digitized National Identity Cards.
In addition to these, the unsecured server was also found storing API logs for both the company’s web and mobile sites and all production server information, full trip information including where customers were picked and dropped off, driver arrival times, trip distances, and fare details, as well as internal employee login and unencrypted password information.
"Full names, residential address details, ID documents like CNIC, online login information and location data could potentially be exploited by nefarious users to target unsuspecting people that registered with the company. Car registration and vehicle data could potentially be used to conduct insurance fraud and other heinous crimes involving stolen identities.
"Also, user email addresses could be targeted by hackers who typically use deceptive methods such as infusing leaked customer data into email communications to trigger clickthroughs to malicious websites and installing malicious software," Safety Detectives said.
In recent times, security researchers and White Hat hackers have been discovering unsecured and misconfigured servers owned by online services with alarming regularity. Earlier this week, security researchers at WizCase said they discovered an unsecured Elasticsearch server owned by VIPGames that exposed ovr 66,000 user profiles and more than 23 million data records.
The data records leaked by VIPGames.com included usernames, emails, device details, IP addresses, hashed passwords, Facebook IDs, Twitter IDs, Google IDs, in-game transaction details, bets, and details regarding banned players. None of the stored data records were encrypted.
Recently, researchers at WizCase also discovered an unprotected backend server associated with the Microsoft Bing mobile app that exposed up to 6.5 TB worth of data, including details of millions of search queries, device details, and GPS coordinates.
The Microsoft-owned server was set up to log data related to the Microsoft Bing mobile applications for Android and iOS that have enjoyed over ten million downloads on mobile devices. Even though the logs did not contain the names or addresses of Bing users, the unprotected Elastic server contained a wealth of information that could easily be misused by hackers.