Personal Data of Bykea Customers and Captains Was Exposed in a Massive Security Breach - Android

Bykea suffered a significant data breach which affected its extensive user database, according to a report published by Safety Detectives.… Read More

The post Personal Data of Bykea Customers and Captains Was Exposed in a Massive Security Breach appeared first on .

Bykea suffered a significant data breach which affected its extensive user database, according to a report published by Safety Detectives.

The Safety Detectives cybersecurity team discovered the elastic server vulnerability during routine IP-address checks on specific ports.

In this instance, Safety Detective’s team discovered that Karachi-based Bykea had exposed all its production server information and allowed access to over 200GB of data containing more than 400 million records showing people’s full names, locations, and other personal information that could potentially be harnessed by hackers to cause financial and reputational damage.

The Elastic instance was left publicly exposed without password protection or encryption which meant that anyone in possession of the server’s IP-address could access the database and potentially remove data from it, added the report.

“It appeared that in September 2020, Bykea suffered a separate breach, during which unidentified hackers reportedly deleted the company’s entire customer database. At the time, Bykea said it was unaffected by the intrusion because it kept regular backups,” it added.

In response, Bykea’s CEO Muneeb Maayr described the cyberattack as “nothing out of the ordinary” given that Bykea is a mobility-based tech firm. It remains unclear whether this latest breach is related to the hack attack in September.

What Was Leaked?

The exposed server contained API logs for both, the company’s web and mobile sites and all production server information. The 200GB database containing 400 million records was regularly updated with internal logs including user details, reported Safety Detectives.

More specifically, the server contained personally identifiable information (PII) for both customers and contracted employees – their drivers, called “partners”, by Bykea.

Bykea Customer’s PII:

• Full names
• Phone numbers
• Email addresses

Bykea Partners’ (drivers’) PII:

• Full names
• Phone numbers
• Address
• CNIC (Computerised National Identity Card)
• Driver license numbers, issuing city and expiry dates
• Body temperature

Other Information Also Left Unsecured:

• Internal API logs
• Collection and delivery location information
• User token ID with cookie details and session logs
• Specific GPS coordinates
• Vehicle information including model and number plate
• Driver license expiry information
• Miscellaneous user device information
• Encrypted IMEI numbers

Safety Detective’s team discovered that Bykea’s server contained customer invoices showing full trip information including where customers were picked and dropped off, driver arrival times, trip distances, fare details and more.

Their team also found Bykea’s internal employee login and unencrypted password information on the unsecured server.

The report further added that Bykea had existing commercial relationships with other Pakistani companies including K-Electric, EasyPaisa and JazzCash allowing customers to pay their electricity bills, get cash and send money with the assistance of a Bykea driver and its app. This data was also stored on Bykea’s database and exposed in the leak.

It also discovered Bykea’s vulnerability on 14 November 2020. Upon contacting the company on 24 November, Bykea responded immediately by securing its database within 24 hours.

We are awaiting comments from Bykea, to see if they can share more details on what had happened and how serious of the damage was incurred.

The post Personal Data of Bykea Customers and Captains Was Exposed in a Massive Security Breach appeared first on .