What's new

Multimillion-dollar Pakistani delivery company leaks 400+ million files of Pakistani citizens data leaked

Bambi

BANNED
Dec 12, 2020
500
0
168
Country
India
Location
India
A prominent vehicle-for-hire and parcel delivery company based in Pakistan has suffered a significant data breach which affected its extensive user database.

The Safety Detectives cybersecurity team, led by head researcher Anurag Sen, discovered the elastic server vulnerability during routine IP-address checks on specific ports.

In this instance, our team discovered that Karachi-based company Bykea had exposed all its production server information and allowed access to over 200GB of data containing more than 400 million records showing people’s full names, locations and other personal information that could potentially be harnessed by hackers to cause financial and reputational damage.

The Elastic instance was left publicly exposed without password protection or encryption which meant anyone in possession of the server’s IP-address could access the database and potentially remove data from it.

It appeared that in September 2020, Bykea suffered a separate breach, during which unidentified hackers reportedly deleted the company’s entire customer database. At the time, Bykea said it was unaffected by the intrusion because it kept regular backups.

In response, Bykea’s CEO Muneeb Maayr described the cyberattack as “nothing out of the ordinary” given that Bykea is a mobility-based tech firm. It remains unclear whether this latest breach is related to the hack attack in September.

Who is Bykea?
Founded in 2016 by Pakistani entrepreneur Muneeb Maayr, Bykea is a transportation, logistics and cash on delivery payments company, headquartered in Karachi, Pakistan. The company was one of the first to introduce the novel concept of “motorbike taxis”, used as a means of transport and delivery. Currently, the company offers its range of taxi services in Karachi, Rawalpindi and Lahore.

Bykea also operates as a vehicle-for-hire and parcel delivery company and maintains a software app offering users access to all its services via Google Play and App Store.

The company is an on-demand logistics provider that has embraced mobile demand and ubiquitous internet connectivity to fuel its rapid growth in recent years. The company raised almost US$6 million from private investors in 2019 and followed up by raising a further US$11 million this year. In total, Bykea has raked in US$22 million in private equity from notable investment groups such as Prosus Ventures, Middle East Venture Partners (MEVP) and Sarmayacar since 2016.

What was leaked?
The exposed server contained API logs for both the company’s web and mobile sites and all production server information. The 200GB database containing 400 million records was located on a production server that stores regularly updated data including internal logs including user details.

Bykea report

More specifically, the server contained personally identifiable information (PII) for both customers and contracted employees – their drivers, called “partners” by Bykea.

Bykea customer’s PII:

Full names
Phone numbers
Email addresses
Bykea partners’ (drivers’) PII:

Full names
Phone numbers
Address
CNIC (Computerised National Identity Card)
Driver license numbers, issuing city and expiry dates
Body temperature
Bykea report
Users’ full trip details exposed on the server

Other information was also left unsecured, such as:

Internal API logs
Collection and delivery location information
User token ID with cookie details and session logs
Specific GPS coordinates
Vehicle information including model and number plate
Driver license expiry information
Miscellaneous user device information
Encrypted IMEI numbers
Bykea report
Driver details including GPS coordinates

Our team discovered Bykea’s server contained customer invoices showing full trip information including where customers were picked and dropped off, driver arrival times, trip distances, fare details and more.

Bykea report
Trip details

Our team also found Bykea’s internal employee login and unencrypted password information on the unsecured server.

Bykea report
Employee login credentials

Moreover, Bykea had existing commercial relationships with other Pakistani companies including K-Electric, EasyPaisa and JazzCash allowing customers to pay their electricity bills, get cash and send money with the assistance of a Bykea driver and its app. This data was also stored on Bykea’s database and exposed in the leak.

Bykea report
Customer’s electric bill payment

Number of records leaked:400+ million
Number of affected users:Unknown
Size of data breach:200+ gigabytes
Server location:Boydton, United States
Company location:Karachi, Pakistan
Our security team discovered Bykea’s vulnerability on 14 November 2020. Upon contacting the company on 24 November, Bykea responded immediately by securing its database within 24 hours.

Data breach impact
From the large number of discovered records and the type of information made available, several negative outcomes could occur including identity theft, fraud, and phishing scams.

Full names, residential address details, ID documents like CNIC, online login information and location data could potentially be exploited by nefarious users to target unsuspecting people that registered with the company. Car registration and vehicle data could potentially be used to conduct insurance fraud and other heinous crimes involving stolen identities.

Also, user email addresses could be targeted by hackers who typically use deceptive methods such as infusing leaked customer data into email communications to trigger clickthroughs to malicious websites and installing malicious software.

Moreover, website backend data could be harnessed to exploit Bykea’s internal IT infrastructure including its app and website to generate ransomware attacks or simply to cripple its servers. Back-end technical logs expose not only personal information but also, data that can be weaponised to obtain full control of the server.


Read the report as I can't paste pics




 
Last edited:

ProudPak

FULL MEMBER
Feb 26, 2019
403
0
468
Country
Pakistan
Location
Pakistan
Meehan bank idiot contacted me today with an email with my full details including account number. A new manager introducing himself. idiot
 

Skywalker

SENIOR MEMBER
Sep 3, 2006
3,624
-16
3,486
Meehan bank idiot contacted me today with an email with my full details including account number. A new manager introducing himself. idiot
Meezan banks head of IT is a close friend of mine, if you need any help let me know.
 

ProudPak

FULL MEMBER
Feb 26, 2019
403
0
468
Country
Pakistan
Location
Pakistan
Meezan banks head of IT is a close friend of mine, if you need any help let me know.
Below are the details of the manager.
He wrote to me with my full name, address and account number in an email.

MOD EDIT - DO NOT SHARE PRIVATE INFO IN PUBLIC


I WOULD BE MOST GRATEFUL OF YOU CAN ASK YOUR FRIEND TO EDUCATE THIS IDIOT ON CYBER CRIME. THANKS IN ADVANCE BRO
 
Last edited by a moderator:

Incog_nito

FULL MEMBER
Jun 27, 2016
1,140
-1
331
Country
Pakistan
Location
Pakistan
Bykea should take cybersecurity services from some foreign reputable organization.
 

HttpError

SENIOR MEMBER
Feb 20, 2014
3,303
-10
5,404
Country
Pakistan
Location
Pakistan
Meezan banks head of IT is a close friend of mine, if you need any help let me know.
Please tell your friend to at-least enable 2FA on app or web login. I mean like seriously??? it is 2021 and they are not even using 2FA to begin with.
 

Incog_nito

FULL MEMBER
Jun 27, 2016
1,140
-1
331
Country
Pakistan
Location
Pakistan
I think we need more startups like Bykea but one thing is for sure - we also need cybersecurity company as well.
 

Zaki

SENIOR MODERATOR
Oct 20, 2008
19,837
19
22,996
Country
Pakistan
Location
United Kingdom
Its absolutely shocking. I don't know why Pakistani companies do not invest in Cyber security. It would be mega scandal had this happened in UK. I think Pakistani companies need to grow up and adapt latest technology to protect the precious information of their clients.
 

ProudPak

FULL MEMBER
Feb 26, 2019
403
0
468
Country
Pakistan
Location
Pakistan
Below are the details of the manager.
He wrote to me with my full name, address and account number in an email.

MOD EDIT - DO NOT SHARE PRIVATE INFO IN PUBLIC


I WOULD BE MOST GRATEFUL OF YOU CAN ASK YOUR FRIEND TO EDUCATE THIS IDIOT ON CYBER CRIME. THANKS IN ADVANCE BRO
That wasnt private info. Maybe you should spend the manager this message loool


He is a branch manager and an idiot. Everyone knows him at the branch. His phone number is listed and public knowledge.
 

Users Who Are Viewing This Thread (Total: 1, Members: 0, Guests: 1)


Top Bottom