“Bykea leaked over 400 million files because its data wasn’t protected”
Recently, Safety Detectives, an antivirus review website, wrote a blog post exposing a major data breach by the online delivery service, Bykea.
Muneeb Maayr founded the unique startup Bykea in 2016. Since then, the platform continues to provide services of transportation, logistics, and cash on delivery to Pakistanis. While the company’s headquarters is in Karachi, Pakistan, it offers its range of taxi services in Karachi, Rawalpindi, and Lahore.
Bykea data breach details
Recently, Safety Detectives, an antivirus review website, wrote a blog post exposing a major data breach by the online delivery service, Bykea. The review website claims:
Bykea has leaked more than 400 million files after facing a major data breach affecting its user database. Our cybersecurity team discovered the elastic server vulnerability during routine IP-address checks on specific ports.
The blog post by Safety Detectives read:
During this check, we discovered that Bykea had exposed all of its production server information. It had allowed access to over 200GB of data containing more than 400 million records showing people’s full names, locations, and other personal information. Such data can prove quite harmful in the hands of a hacker.
How did the data breach occur?
The antivirus review website explained:
The Elastic instance was left publicly exposed without password protection or encryption, which meant anyone in possession of the server’s IP-address could access the database and potentially remove data from it.
Safety Detectives further revealed that Bykea had suffered another data breach in September 2020, during which hackers reportedly deleted the entire database of the company. At the time, Bykea was unaffected because it kept regular backups.
Regarding the September 2020 data breach, Bykea CEO Muneeb Maayr said:
The hack did occur. It was business as usual given that we have backups in place for this very possible instance. The attack was caught early on, providing us enough time to contain it.
What data was leaked?
The antivirus website disclosed that the leaked files contained personally identifiable information (PII) for both customers and contracted employees, including their drivers, termed as ‘partners’ by Bykea.
Safety Detectives continued to state:
Other unsecured information included Internal API logs, collection and delivery location information, user token ID with cookie details and session logs, specific GPS coordinates, vehicle information including model and number plate, driver license expiry information, miscellaneous user device information, and encrypted IMEI numbers.
The blog post also revealed that the online service also has commercial relationships with other Pakistani companies, including K-Electric, EasyPaisa, and JazzCash, allowing customers to pay their electricity bills, get cash and send money with the assistance of a Bykea driver and its app. This data was also stored on Bykea’s database and was exposed in the leak.
Bykea has not issued a formal statement on the matter yet; the company has neither denied nor accepted the claims.
What are your thoughts on this? Please share with us in the comment section below.