Tap30 ride-hailing app experiences major data leaks

As reported on the blog Security Discovery, the popular Iranian taxi app Tap30 is reeling from a breach of its database. The security consultant Bob Diachenko discovered the data leak while doing an audit of NoSQL databases. He noticed that the database had been publicly exposed for at least three days and had compromised the information of Tap30 drivers and other "unique records." In total the database leak jeopardized the personal data of 300,000 drivers, and though the database is now secure, this is a frightening fact undoubtedly for drivers in the employ of Tap30.

While Diachenko insists in an interview with Kaspersky Lab that "there is no evidence that the data was abused" that the leak was an “isolated incident," it still is worth noting what was exposed for the sake of the drivers. The exposed information about Tap30 drivers includes their full names, their Social Security Organization number (found in plain text), their phone number, and invoice dates (which total in the millions). To their credit, Tap30 did secure the database as soon as they were notified by Bob Diachenko, but it still is unacceptable that this incident occurred in the first place.

As Diachenko explains in his blog post, however, these sorts of breaches are incredibly easy to cause for the type of database involved:

Danger of having exposed MongoDB or similar NoSql databases is huge. I have previously reported that the lack of authentication allowed the installation of malware or ransomware on the MongoDB servers. The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.

Thankfully, the damage seems to have been mitigated, but next time the company and its employees might not be so lucky.

Featured image: Flickr/Jon’s Pics

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

Deploy Windows from the cloud to on-premises hardware? Yes, you can

Wouldn’t it be nice if you could deploy Windows from the cloud while sipping an…

8 hours ago

Blackbaud data breach after ransomware attack hits universities, nonprofits

Blackbaud, a cloud services provider focused on the education sector and nonprofits, suffered a data…

13 hours ago

Sending email from Linux terminal: Efficient and powerful solution

Knowing how to send email from the Linux command line is important, especially when you…

1 day ago

Family Tree Maker genealogy software experiences data breach

A data breach affecting popular genealogy software Family Tree Maker has been discovered and patched,…

1 day ago

Review: Microsoft 365 monitoring solution GSX Gizmo

In a world of distributed employees, GSX Gizmo provides monitoring of Microsoft 365 and on-premises…

2 days ago

Nmap: All about this free open-source network monitoring tool

Nmap is a free open-source tool used to scan networks, identify vulnerabilities, find open ports,…

2 days ago