Tap30 ride-hailing app experiences major data leaks

As reported on the blog Security Discovery, the popular Iranian taxi app Tap30 is reeling from a breach of its database. The security consultant Bob Diachenko discovered the data leak while doing an audit of NoSQL databases. He noticed that the database had been publicly exposed for at least three days and had compromised the information of Tap30 drivers and other "unique records." In total the database leak jeopardized the personal data of 300,000 drivers, and though the database is now secure, this is a frightening fact undoubtedly for drivers in the employ of Tap30.

While Diachenko insists in an interview with Kaspersky Lab that "there is no evidence that the data was abused" that the leak was an “isolated incident," it still is worth noting what was exposed for the sake of the drivers. The exposed information about Tap30 drivers includes their full names, their Social Security Organization number (found in plain text), their phone number, and invoice dates (which total in the millions). To their credit, Tap30 did secure the database as soon as they were notified by Bob Diachenko, but it still is unacceptable that this incident occurred in the first place.

As Diachenko explains in his blog post, however, these sorts of breaches are incredibly easy to cause for the type of database involved:

Danger of having exposed MongoDB or similar NoSql databases is huge. I have previously reported that the lack of authentication allowed the installation of malware or ransomware on the MongoDB servers. The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.

Thankfully, the damage seems to have been mitigated, but next time the company and its employees might not be so lucky.

Featured image: Flickr/Jon’s Pics

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

Best programming languages to learn in 2020

Every hour you spend learning to code will pay off big. But which are the best programming languages to learn?…

6 hours ago

Endpoint security best practices and policies to mitigate risks

Failure to adequately secure endpoints can have catastrophic results. Here’s a look at the most important endpoint security best practices.

11 hours ago

Simplifying complex networks: A guide for enterprises

As networks grow in technological capabilities, they are harder to manage. Here are some tools for simplifying complex networks that…

14 hours ago

Managing Azure firewall and virtual networks with PowerShell

Here’s how to manage firewall and virtual networks in a Storage Account and how to use Azure Automation to enforce…

1 day ago

Microsoft exposed 250 million users’ private records in December

Microsoft exposed roughly 250 million customer service and support records last month. While the company says it secured all servers,…

1 day ago

Keep a lid on your AWS cloud goodies with breach and attack simulation

If you store business data in the AWS cloud, you need to secure it against unauthorized access. A breach and…

2 days ago