Bykea Database Leak: Over 400 million personal records exposed

Bykea Database Leak: Over 400 million personal records exposed
We may receive commissions for purchases made through links on our website. We appreciate your support.

Bykea, a well-known ride-hailing service in Pakistan suffered a major data breach that affected its user database.

Safety Detectives discovered that Bykea had exposed its production server information which allowed access to data containing over 400 million personal records (over 200GB of data). The records in question consist of the users full name, locations, and other personal information that could be a potential factor of harassment by hackers.

The Elastic instance was left publicly exposed without password protection or encryption which meant anyone in possession of the servers IP-address could access the database and potentially remove data from it. Safety Detectives blog

The data was leaked through an exposed sever that contained the API logs for both the companys web and mobile sites and all production server information. The database (weighing 200GB) containing 400 million records and the database that stores regularly updated data, including user details, were all located on a production server.

Source: Safety Detectives

More specifically, the server contained personally identifiable information (PII) for both customers and contracted employees their drivers, called partners by Bykea.

Bykea customers PII:

  • Full names
  • Phone numbers
  • Email addresses

Bykea partners (drivers) PII:

  • Full names
  • Phone numbers
  • Address
  • CNIC (Computerised National Identity Card)
  • Driver license numbers, issuing city and expiry dates
  • Body temperature
Users full trip details exposed on the server

Other information was also left unsecured, such as:

  • Internal API logs
  • Collection and delivery location information
  • User token ID with cookie details and session logs
  • Specific GPScoordinates
  • Vehicle information including model and number plate
  • Driver license expiry information
  • Miscellaneous user device information
  • Encrypted IMEI numbers
Driver details including GPS coordinates

Safety Detectives team also discovered that Bykeas server contained customer invoices showing full trip information including where customers were picked and dropped off driver arrival times, trip distances, fare details, and more.

Moreover, the team also found yet another critical instance of Bykeas database leak which are internal employee login and unencrypted password information on the unsecured server.

Employee login credentials

The Safety Detectives team discovered the breach on 14 November 2020. According to the blog post, the team reported the breach to Bykea on 24 November (10 days later) and in response, the affected company secured its database within 24 hours.

The details about the breach were recently made public by Safety Detectives.

Bykeas response

Safety Detectivesis a team of online security experts and as ethical hackersreported a vulnerabilityon one of Bykeas backup logging nodes in November 2020. The company had attracted interest after a public hacking incident on Aug 31st when Bykeas database was deleted and it took 24 hours to recover a downtime.

Representatives from Bykea were in touch with Safety Detectives who then helped the security team at Bykea solve the vulnerability. Unlike what bloggers in the aftermath of the article on Safety Detectives site inferred, this was a vulnerability identification, not a breach of stolen data for criminal purposes. The citation of 400 million files mostly comprises millions of GPS pinpoints that Bykea solicits in tracking over a two-week period in 2020 and drivers can rest assured that national ID data is encrypted now on Bykea. Bykea has been on a hiring spree since the middle of 2020, bolstering the engineering team as well as specifically adding dedicated security resources to recognize the importance of this function.

Information security is a crucial function and protecting consumer information is a key activity in building trust for rapidly growing digital companies like Bykea said Muneeb Maayr who went on to say: Security researchers and teams like Safety Detectives play a crucial role in creating awareness and helping companies all around the world identify and plug their weaknesses, a contribution Bykea explicitly welcomes.

Bykea had engaged a multitude of security companies includingSecurityWallthat ran pen tests on Bykeas infrastructure and a vulnerability disclosure program withHackerOne. The company is exploring ways to build ongoing collaborations with ethical hackers to advance their mutual interests of building a secure digital economy protecting personal information while empowering consumers with new services and digitally-enabled value propositions. More details on Bykeas vulnerability disclosure and bug bounty program can be found here:bykea.com/security