BYKEA data breach: Pakistani ride-hailing app exposed 400m records

According to researchers, BYKEA’s 200 GB worth of database was exposed on an Elasticsearch server.

The unprotected database contained highly sensitive records of BYKEA customers and drivers.

Another day, another data breach involving Pakistan – This time researchers at Security Detectives have discovered a massive trove of data involving BYKEA, a Karachi, Pakistan-based multi-million dollar vehicle for hire and parcel delivery company.

200 GB worth of BYKEA database exposed

According to researchers, BYKEA’s 200 GB worth of database was exposed on an Elasticsearch server meaning anyone with a little bit of knowledge about the Shodan search engine could have accessed the database without needing to put any security authentication.

Containing more than 400 million records; the database exposed API logs for BYKEA’s production server information and the personal data of the company’s customers and drivers including:

  • Full names
  • Email addresses
  • Phone numbers

As for the drivers; the exposed database included:

  • Full names
  • Phone numbers
  • Physical addresses
  • Body temperature
  • National ID card numbers (CNIC)
  • Driver license numbers, issuing city, and expiry dates.

However, it did not end there. Further digging into the database also exposed internal employee login and password in plain text format. In a blog post, Security Detectives’ researcher Jim Wilson wrote that:

Our team discovered Bykea’s server contained customer invoices showing full trip information including where customers were picked and dropped off driver arrival times, trip distances, fare details and more.

Moreover, Bykea had existing commercial relationships with other Pakistani companies including K-Electric, EasyPaisa and JazzCash allowing customers to pay their electricity bills, get cash and send money with the assistance of a Bykea driver and its app. This data was also stored on Bykea’s database and exposed in the leak.

The Good, the Bad, and the Ugly

The good news is that Security Detectives informed BYKEA about the breach on November 24th, 2020 who managed to secure the database within 24 hours.

However, the bad news is that BYKEA had its database exposed to the public for weeks which is enough to understand the upcoming damage in case a third-party with malicious intent got their hands on it.

As seen last year, cybercriminals have been scanning for exposed databases, stealing the data and selling it on dark web marketplaces, or leaking it on hacker forums for free download.

One such case was reported in 2020 when personal details and phone numbers of 42 million Iranians were exposed on an Elasticsearch server and ended up on the dark web and a hacker forum for sale within days.

In another case, reported that a misconfigured Elasticsearch server exposed the personal information of 267 million (267,140,436) Facebook users in December 2019. A year later in April 2020, the same database was being sold for $600 on a hacker forum.

Pakistan and recent security incidents

A couple of weeks ago the IT security researchers at Sophos reported a highly sophisticated Android spyware campaigning mimicking top Pakistani government platforms including Pakistan Citizen Portal. The sole purpose of the campaign was to spy on the Pakistani government and citizens.

Furthermore, on January 27th, exclusively reported on a threat actor who is currently selling mobile phone and telecom data of over 176 million Pakistanis on an infamous hacker forum.

Did you enjoy reading this article? Don’t forget to like our page on Facebook and follow us on Twitter

Related Posts