The unprotected database contained highly sensitive records of BYKEA customers and drivers.
Another day, another data breach involving Pakistan – This time researchers at Security Detectives have discovered a massive trove of data involving BYKEA, a Karachi, Pakistan-based multi-million dollar vehicle for hire and parcel delivery company.
200 GB worth of BYKEA database exposed
According to researchers, BYKEA’s 200 GB worth of database was exposed on an Elasticsearch server meaning anyone with a little bit of knowledge about the Shodan search engine could have accessed the database without needing to put any security authentication.
Containing more than 400 million records; the database exposed API logs for BYKEA’s production server information and the personal data of the company’s customers and drivers including:
- Full names
- Email addresses
- Phone numbers
As for the drivers; the exposed database included:
- Full names
- Phone numbers
- Physical addresses
- Body temperature
- National ID card numbers (CNIC)
- Driver license numbers, issuing city, and expiry dates.
However, it did not end there. Further digging into the database also exposed internal employee login and password in plain text format. In a blog post, Security Detectives’ researcher Jim Wilson wrote that:
Our team discovered Bykea’s server contained customer invoices showing full trip information including where customers were picked and dropped off driver arrival times, trip distances, fare details and more.