A well know parcel delivery company based in Pakistan has suffered a significant data breach which affected its extensive user database.
The Safety Detectives cybersecurity department, led by Anurag Sen, discovered the elastic server vulnerability during routine IP-address checks on specific ports.
Our team discovered that Pakistan-based company Bykea had exposed all its production server information and allowed access to over 200GB of data containing more than 400 million records showing people’s full names, locations and other personal sensitive information that could potentially be harnessed by hackers to cause financial damage.
The Elastic instance was left publicly exposed without password protection or encryption which meant anyone in possession of the server’s IP-address could access the database and potentially remove data from it.
In September 2020, Bykea suffered a separate breach, during which unidentified hackers reportedly deleted the company’s entire customer database. At the time, Bykea said it was unaffected by the intrusion because it kept regular backups.
In response, Bykea’s CEO Muneeb Maayr described the cyberattack as “nothing out of the ordinary” given that Bykea is a mobility-based tech firm. But question is still there remains unclear whether this latest breach is related to the hack attack in September.
Who is Bykea?
Founded in 2016 by Pakistani entrepreneur Muneeb Maayr, Bykea is a transportation, logistics and cash on delivery payments company, headoffice in Karachi, Pakistan. The company was one of the first to introduce the concept of “motorbike taxis”, used as a means of transport and delivery. Currently, the company offers its range of taxi services in Karachi, Rawalpindi and Lahore.
Bykea also operates as a vehicle-for-hire and parcel delivery company and maintains a software app offering users access to all its services via Google Play and App Store.
What was leaked?
The hacked server contained API logs for both the company’s web and mobile sites and all production server information. The 200GB database containing 400 million people records was located on a production server that stores regularly updated data including internal logs including user details.
More specifically, the server contained personally identifiable information (PII) for both customers and contracted employees of Bykea.
Bykea customer’s PII:
- Cell numbers
- Email addresses
Bykea partners’ (drivers’) PII:
- Full names
- Phone numbers
- Driver license numbers, issuing city and expiry dates
Other information was also unsecured, such as:
- Internal API logs
- Collection and delivery location information
- User token ID with cookie details and session logs
- Specific GPS coordinates
- Vehicle information including model and number plate
- Driver license expiry information
- Miscellaneous user device information
- Encrypted IMEI numbers
Safety detectives team discovered Bykea’s server contained customer invoices showing full trip information including where customers were picked and dropped off details, driver arrival times, trip distances, fare details and much more.
Moreover, Bykea had existing commercial partnerships with other Pakistani companies including K-Electric, JazzCash and EasyPaisa allowing customers to pay their bills, get cash and send money with the help of a Bykea driver and its app. This data was also stored on Bykea’s database and exposed in the leak.
|Number of records leaked:||400 million|
|Number of affected users:||Unknown till now|
|Size of data breach:||200 GB|
|Server location:||Boydton, United States|
|Company location:||Karachi, Pakistan|
Safety detectives team discovered Bykea’s vulnerability on 14 November 2020. Upon contacting the company on 24 November, Bykea responded immediately by securing its database within 24 hours.
Data breach impact
From the large number of discovered records and the type of information made available, several negative outcomes could occur including identity theft, fraud, and phishing scams.
Full names, residential address details, ID documents like CNIC, online login information and location data could potentially be exploited by nefarious users to target unsuspecting people that registered with the company. Car registration and vehicle data could potentially be used to conduct insurance fraud and other heinous crimes involving stolen identities.
Also, user email addresses could be targeted by hackers who typically use deceptive methods such as infusing leaked customer data into email communications to trigger click throughs to malicious websites and installing malicious software.
Moreover, website backend data could be utilize to exploit Bykea’s internal IT system including its app and website to do ransomware attacks or simply to cripple its servers. Back-end technical logs expose not only personal information but also, data that can be weaponised to obtain full control of the server.
Preventing Data Breach
How can you prevent your personal information from being exposed in a data breach and ensure that you are not a victim of cyber attacks or in real world – if it is leaked?
- Changes your login information’s passwords etc.
- Be cautious of what information you give out and to whom
- Check the website you are on is it secure? (look for https and/or a closed lock)
- Only give out what you feel confident cannot be used against you (avoid government ID numbers, personal preferences that may cause you trouble if made public, etc.)
- Create strong passwords by combining letters, numbers, and symbols
- Do not click at links in emails unless you are sure that the sender is real who they represent themselves to be
- Double-check any social media accounts (even ones you no longer use) to ensure that the privacy of your posts and personal details are visible only to people you trust
- Avoid using credit card information and typing out passwords over unsecured Wi-Fi networks it’s very important.
- Find out more about what constitutes cybercrime, the best tips to prevent phishing attacks, and how to avoid ransomware
I am a Cyber Security expert cover cybercrime, privacy, security and surveillance, consumer technology, and anything else that seems interesting.