The Pakistani ride-hailing and parcel delivery service Bykea suffered a massive data breach that has affected its extensive user database, according to a report published by Safety Detectives.
According to the details, the Safety Detectives cybersecurity team “discovered an elastic server vulnerability during routine IP-address checks on specific ports.”
The team discovered that Bykea suffered a massive data breach exposing all its production server information and allowing access to over 200GB of data containing users’ personal information, including their full names and locations.
Safety Detectives team stated that the “elastic instance” was left publicly exposed whiteout any password protection or encryption and allowed anyone with the server’s IP address to gain access to the Bykea database containing personal information.
In the article, the Safety Detectives team states that Bykea suffered a separate data breach in September 2020, during which unidentified hackers reportedly deleted the company’s entire customer database. However, the company stated that it was unaffected by the intrusion because it kept regular backups.
Bykea Data Breach – What was Leaked?
According to the article, the Bykea data breach exposed API logs for both the company’s web and mobile sites, including production server information. “The 200GB database containing 400 million records was located on a production server that stores regularly updated data including internal logs including user details.” the article stated.
The data breach contained personally identifiable information (PII)) for both customers and Bykea drivers aka “partners” or “captains”.
Bykea customer’s PII:
- Full names
- Phone numbers
- Email addresses
Bykea partners’ (drivers’) PII:
- Full names
- Phone numbers
- CNIC (Computerized National Identity Card)
- Driver license numbers, issuing city and expiry dates
- Body temperature
Other information was also left unsecured, such as:
- Internal API logs
- Collection and delivery location information
- User token ID with cookie details and session logs
- Specific GPS coordinates
- Vehicle information including model and number plate
- Driver license expiry information
- Miscellaneous user device information
- Encrypted IMEI numbers
The cybersecurity team also discovered that the Bykea data breach contained customer invoices showing complete trip details, including where customers were picked and dropped off, timings and fare details.
Furthermore, the Bykea data leak also exposed internal employee login and unencrypted password information on the unsecured server.
“Bykea had existing commercial relationships with other Pakistani companies including K-Electric, EasyPaisa and JazzCash allowing customers to pay their electricity bills, get cash and send money with the assistance of a Bykea driver and its app.” the article stated. “This data was also stored on Bykea’s database and exposed in the leak.”
Total Data Leaked
|Number of records leaked:||400+ million|
|Number of affected users:||Unknown|
|Size of data breach:||200+ gigabytes|
|Server location:||Boydton, United States|
|Company location:||Karachi, Pakistan|
Another vulnerability was discovered on 14 November 2020. The cybersecurity team at Safety Detectives informed Bykea regarding the matter on 24 November 2020 and the company patched the database within 24 hours.
It is pertinent to mention that Bykea has not commented on this latest data breach.