Bykea, known as the eminent vehicle-for-hire and delivering of parcels company has been identified with a vulnerability which affected its comprehensive user database as per the report published by Safety Detectives.
The cybersecurity teams of Safety Detectives were able to catch the elastic server vulnerability during routine IP-address checks on specific ports. The report mentions that the Pakistan based company, Bykea has apparently exposed more than 200 gigabytes worth of data. This data consisted of more than 400 million records of users, which comprised of their name, addresses, payment information, and other highly confidential and sensitive data that can be abused by the hackers to cause huge financial damage to the customers. The vulnerability was found during a routine IP-address check conducted.
“It appeared that in September 2020, Bykea suffered a separate breach, during which unidentified hackers reportedly deleted the company’s entire customer database. At the time, Bykea said it was unaffected by the intrusion because it kept regular backups,” the report stated.
What information was leaked?
The exposed server contained API logs for both the firm’s web and mobile sites and the server information of production. As it has been reported by the Safety Detectives, the 200GB database was regularly updated with the customers’ details, which accounted for 400 million records. In addition to it, the exposed data also consisted the personally identifiable information (PII) for both the customers and contracted employees.
Bykea Client’s PII:
- Full names
- Phone numbers
- Email addresses
Bykea Employees’ PII:
- Full names
- Phone numbers
- CNIC Number
- Driver license Numbers
Along with the above-exposed data, the server also contained the locations for picking and dropping off the customers and employee credentials. Upon further investigation, it has been found that Bykea was in commercial relations with EasyPaisa, JazzCash, and K-Electric, allowing the customers to receive or clear their payments through the means of these. Therefore, this information is also compromised.
However, Bykea later in their official statement contented that this was merely a vulnerability identification and cannot be inferred as a breach. The statement reads
Representatives from Bykea were in touch with Safety Detectives who then helped the security team at Bykea solve the vulnerability. Unlike what bloggers in the aftermath of the article on Safety Detectives’ site inferred, this was a vulnerability identification, not a breach of stolen data for criminal purposes. The citation of 400 million files mostly comprises millions of GPS pinpoints that Bykea solicits in tracking over a two week period in 2020 and drivers can be rest assured that national ID data is encrypted now on Bykea. Bykea has been on a hiring spree since middle of 2020, bolstering the engineering team as well as specifically adding dedicated security resources to recognize the importance of this function.
Source: Safety Detectives