According to the hacker behind the breach, they found the backup database of CityBee exposed on the internet for public access.
CityBee, a prominent Lithuania-based car-sharing platform has suffered a data breach in which personal data including login credentials of its registered customers have been leaked on a prominent hacker forum.
It is worth noting that CityBee is quite a thing in Lithuania. The company rents cars, scooters, bicycles, and even trucks to its customers.
According to the hacker, one of CityBee’s website backups was publically available without any security authentication meaning anyone could have downloaded the data. This database contained sensitive data of over 110,313 including the following:
- Personal codes
- Telephone numbers
- Residence addresses
- Driver’s license numbers
- Encrypted passwords
However, the data leaked by the hacker only contained email addresses, password hashes, first names, last names, and government ID numbers. The rest of the data was put for sale.
How did it happen?
Initially, the hacker apologized to the victims (customers/users) affected by the CityBee data breach. They went on to explain that they did not know “CityBee is a big company” because of extremely lax security on their site.
So the security behind CityBee is alarming. We’ve seen other company’s get hacked in the same way whether it be open s3 buckets or azure blobs and I guess companies haven’t learned, the hacker said in a statement.
Doing a quick search on some CNAME records shows us some pretty juicy info. I specifically targeted the azure blob that was registered to them. There was probably more info in the other CNAMErecords but I was mostly scanning for open blobs.
The hacker maintains that what they did was not illegal in any way since the database was available publicly and did not require any hacking to access.
No protection on the file or anything just right there open for anyone to download. It also took them 2 whole days after the leak to finally wipe it from their blob instance! Who knows how long it’s been up for, the hacker added.
CityBee has acknowledged the breach
The company has acknowledged the data breach. In a statement on Facebook on February 15th, CityBee announced that it is aware of the breach and an investigating the incident.
The next day, the company concluded that the database only contained information of customers who registered their accounts before February 22nd, 2018.
Steps for Safety
CityBee assures that its customers’ payment information is safe as it was never collected by the company. However, it has urged users to change their passwords on the platform.
If you are one of the victims of the data breach it is advised to enable two-factor authentication on your account.