Bykea Data Breach Exposes 200GB of Personal User Information

The Pakistani ride-hailing and parcel delivery service Bykea suffered a massive data breach that has affected its extensive user database, according to a report published by Safety Detectives.

Bykea Data Breach, Bykea Data Leak, Bykea
Bykea Data Breach Exposes 200GB of Personal User Information.

According to the details, the Safety Detectives cybersecurity team “discovered an elastic server vulnerability during routine IP-address checks on specific ports.”

The team discovered that Bykea suffered a massive data breach exposing all its production server information and allowing access to over 200GB of data containing users’ personal information, including their full names and locations.


Safety Detectives team stated that the “elastic instance” was left publicly exposed whiteout any password protection or encryption and allowed anyone with the server’s IP address to gain access to the Bykea database containing personal information.

In the article, the Safety Detectives team states that Bykea suffered a separate data breach in September 2020, during which unidentified hackers reportedly deleted the company’s entire customer database. However, the company stated that it was unaffected by the intrusion because it kept regular backups.

Bykea Data Breach – What was Leaked?

According to the article, the Bykea data breach exposed API logs for both the company’s web and mobile sites, including production server information. “The 200GB database containing 400 million records was located on a production server that stores regularly updated data including internal logs including user details.” the article stated.

Source: Safety Detectives

The data breach contained personally identifiable information (PII)) for both customers and Bykea drivers aka “partners” or “captains”.

Bykea customer’s PII:

  • Full names
  • Phone numbers
  • Email addresses

Bykea partners’ (drivers’) PII:

  • Full names
  • Phone numbers
  • Address
  • CNIC (Computerized National Identity Card)
  • Driver license numbers, issuing city and expiry dates
  • Body temperature
Users’ full trip details exposed on the server | Source: Safety Detectives

Other information was also left unsecured, such as:

  • Internal API logs
  • Collection and delivery location information
  • User token ID with cookie details and session logs
  • Specific GPS coordinates
  • Vehicle information including model and number plate
  • Driver license expiry information
  • Miscellaneous user device information
  • Encrypted IMEI numbers
Driver details including GPS coordinates | Source: Safety Detectives

The cybersecurity team also discovered that the Bykea data breach contained customer invoices showing complete trip details, including where customers were picked and dropped off, timings and fare details.

Complete trip details. | Source: Safety Detectives

Furthermore, the Bykea data leak also exposed internal employee login and unencrypted password information on the unsecured server.

Employee login information

“Bykea had existing commercial relationships with other Pakistani companies including K-Electric, EasyPaisa and JazzCash allowing customers to pay their electricity bills, get cash and send money with the assistance of a Bykea driver and its app.” the article stated. “This data was also stored on Bykea’s database and exposed in the leak.”

Total Data Leaked

Number of records leaked:400+ million
Number of affected users:Unknown
Size of data breach:200+ gigabytes
Server location:Boydton, United States
Company location:Karachi, Pakistan

Another vulnerability was discovered on 14 November 2020. The cybersecurity team at Safety Detectives informed Bykea regarding the matter on 24 November 2020 and the company patched the database within 24 hours.

It is pertinent to mention that Bykea has not commented on this latest data breach.


Read more: Facebook users’ phone numbers being sold by Telegram Bot.

Follow INCPAK on Facebook / Twitter Instagram for updates.


Leave a Reply

Your email address will not be published.

Back to top button