Ride-Hailing Firm ‘Bykea’ Leaked Out Sensitive Data of Drivers and Customers

  • Bykea has exposed unencrypted driver and customer PII via an unprotected elastic server.
  • The information in the 200GB of leaked data also includes trip details, contracts, and technical logs.
  • Drivers suffered a more impactful compromise and now run the risk of having their info abused by fraudsters.

The Pakistani ride hailing and parcel delivery service ‘Bykea’ has exposed the sensitive details of its drivers and customers after it failed to properly secure an elastic server that contained 200GB and 400 million records. The discovery comes from researcher Anurag Sen, who found the database during a routine IP-address check on specific ports.

According to the relevant report, the contained data was not encrypted, so any unauthenticated user knowing the server’s IP address could have accessed and copied it.

As the researching team discovered upon looking deeper into the data, Bykea suffered another data breach in September 2020, when hackers found an exposed database again and wiped it. Back then, the firm decided to publicly claim that no customer data was compromised due to the attack and simply restored from a backup.

Source: Security Detectives

This time, the data that has leaked out includes the following:

Customers:

  • Full names
  • Phone numbers
  • Email addresses

Drivers:

  • Full names
  • Phone numbers
  • Address
  • CNIC (Computerized National Identity Card)
  • Driver license numbers, issuing city, expiry dates
  • Body temperature readings

Other:

  • Internal API logs
  • Collection and delivery location information
  • User token ID with cookie details and session logs
  • Specific GPS coordinates
  • Vehicle information, including model and number plate
  • Driver license expiry information
  • Miscellaneous user device information
  • Encrypted IMEI numbers

The researchers also accessed invoicing documents that revealed full trip details, so someone could do a targeted investigation on a person’s whereabouts by knowing their name, or phone number, or email address. Other crucial info found in the server includes commercial relationship contracts and cleartext employee credentials.

Source: Security Detectives

The breach’s impact is different for the drivers and the customers, but it is severe for both and should guarantee the distribution of notifications by Bykea. Judging from the firm’s stance in the past, we wouldn’t expect to see that happening, though.

Drivers should be aware of the possibility of insurance fraud and impersonation, which would create a dire situation for them. Customers will most likely have to deal with scamming and phishing attempts, but blackmail would also be a rare possibility thanks to the trip detail leaks.

As for the firm itself, restoring from backups isn’t fixing the exposure of employee credentials, backend data, corporate network, the leak of technical logs, and the fact that they offered crooks an easy way to plant spyware or ransomware. Also, now that this is public, the reputation damage cannot be mitigated with statements of assurance that nobody other than the researchers accessed this data.

Update on February 02, 2021

Bykea has reached out to inform us that they took the appropriate measures to respond to this security incident, and in fact, they have valid grounds to believe that the vulnerability was fixed before anyone was able to exploit it, so only the researcher has accessed the database. Here’s the full statement.

REVIEW OVERVIEW

Latest

Is It Okay to Charge iPhone 13, Mini, Pro, or Pro Max Overnight?

Without any doubt, there are plenty of misconceptions about charging iOS devices. That’s even more true now since this year’s iPhones have the...

Is It Okay to Play Games While Charging iPhone 13? 

The iOS App Store offers more than one million games. Your options are practically limitless, with console-like games taking full advantage of iPhone 13’s...

Is It Bad to Use iPhone 13 While Charging? 

The latest iPhone generation comes with the longest battery life yet, managing to provide up to 2.5 extra hours of use. With that said,...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari