Bykea, a well-known ride-hailing service in Pakistan suffered a major data breach that affected its user database.
Safety Detectives discovered that Bykea had exposed its production server information which allowed access to data containing over 400 million personal records (over 200GB of data). The records in question consist of the user’s full name, locations, and other personal information that could be a potential factor of harassment by hackers.
The Elastic instance was left publicly exposed without password protection or encryption which meant anyone in possession of the server’s IP-address could access the database and potentially remove data from it. – Safety Detectives blog
The data was leaked through an ‘exposed’ sever that contained the API logs for both the company’s web and mobile sites and all production server information. The database (weighing 200GB) containing 400 million records and the database that stores regularly updated data, including user details, were all located on a production server.
More specifically, the server contained personally identifiable information (PII) for both customers and contracted employees – their drivers, called “partners” by Bykea.
Bykea customer’s PII:
- Full names
- Phone numbers
- Email addresses
Bykea partners’ (drivers’) PII:
- Full names
- Phone numbers
- CNIC (Computerised National Identity Card)
- Driver license numbers, issuing city and expiry dates
- Body temperature
Other information was also left unsecured, such as:
- Internal API logs
- Collection and delivery location information
- User token ID with cookie details and session logs
- Specific GPS coordinates
- Vehicle information including model and number plate
- Driver license expiry information
- Miscellaneous user device information
- Encrypted IMEI numbers
Safety Detectives’ team also discovered that Bykea’s server contained customer invoices showing full trip information including where customers were picked and dropped off driver arrival times, trip distances, fare details, and more.
Moreover, the team also found yet another critical instance of Bykea’s database leak which are internal employee login and unencrypted password information on the unsecured server.
The Safety Detectives team discovered the breach on 14 November 2020. According to the blog post, the team reported the breach to Bykea on 24 November (10 days later) and in response, the affected company secured its database within 24 hours.
The details about the breach were recently made public by Safety Detectives.
Safety Detectives is a team of online security experts and as ethical hackers reported a vulnerability on one of Bykea’s backup logging nodes in November 2020. The company had attracted interest after a public hacking incident on Aug 31st when Bykea’s database was deleted and it took 24 hours to recover a downtime.
Representatives from Bykea were in touch with Safety Detectives who then helped the security team at Bykea solve the vulnerability. Unlike what bloggers in the aftermath of the article on Safety Detectives’ site inferred, this was a vulnerability identification, not a breach of stolen data for criminal purposes. The citation of 400 million files mostly comprises millions of GPS pinpoints that Bykea solicits in tracking over a two-week period in 2020 and drivers can rest assured that national ID data is encrypted now on Bykea. Bykea has been on a hiring spree since the middle of 2020, bolstering the engineering team as well as specifically adding dedicated security resources to recognize the importance of this function.
Information security is a crucial function and protecting consumer information is a key activity in building trust for rapidly growing digital companies like Bykea” said Muneeb Maayr who went on to say: “Security researchers and teams like Safety Detectives play a crucial role in creating awareness and helping companies all around the world identify and plug their weaknesses, a contribution Bykea explicitly welcomes.
Bykea had engaged a multitude of security companies including SecurityWall that ran pen tests on Bykea’s infrastructure and a vulnerability disclosure program with HackerOne. The company is exploring ways to build ongoing collaborations with ethical hackers to advance their mutual interests of building a secure digital economy protecting personal information while empowering consumers with new services and digitally-enabled value propositions. More details on Bykea’s vulnerability disclosure and bug bounty program can be found here: bykea.com/security