Tap30 ride-hailing app experiences major data leaks

As reported on the blog Security Discovery, the popular Iranian taxi app Tap30 is reeling from a breach of its database. The security consultant Bob Diachenko discovered the data leak while doing an audit of NoSQL databases. He noticed that the database had been publicly exposed for at least three days and had compromised the information of Tap30 drivers and other "unique records." In total the database leak jeopardized the personal data of 300,000 drivers, and though the database is now secure, this is a frightening fact undoubtedly for drivers in the employ of Tap30.

While Diachenko insists in an interview with Kaspersky Lab that "there is no evidence that the data was abused" that the leak was an “isolated incident," it still is worth noting what was exposed for the sake of the drivers. The exposed information about Tap30 drivers includes their full names, their Social Security Organization number (found in plain text), their phone number, and invoice dates (which total in the millions). To their credit, Tap30 did secure the database as soon as they were notified by Bob Diachenko, but it still is unacceptable that this incident occurred in the first place.

As Diachenko explains in his blog post, however, these sorts of breaches are incredibly easy to cause for the type of database involved:

Danger of having exposed MongoDB or similar NoSql databases is huge. I have previously reported that the lack of authentication allowed the installation of malware or ransomware on the MongoDB servers. The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.

Thankfully, the damage seems to have been mitigated, but next time the company and its employees might not be so lucky.

Featured image: Flickr/Jon’s Pics

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

What are the potential disadvantages of SSL/TLS?

There’s wide consensus on the benefits of SSL/TLS. However, not as much attention has been given to SSL/TLS disadvantages.

1 day ago

Exploring native software inventory logging in Windows Server

Windows Server has built-software inventory logging that can be very useful. Here’s how to use this little-known feature.

1 day ago

Passwordless authentication: Safer, better, and about time

Passwordless authentication has quickly become one of the primary means by which users access their laptops, phones, and tablets because…

1 day ago

Automated Incident Response in Office 365 ATP simplifies cybersecurity

Microsoft has pumped up Office 365 Advanced Threat Protection with a new feature, Automated Incident Response. Here’s what you need…

2 days ago

IFA 2019: Smart TVs and even smarter wearables unveiled

What will be in your living room or on your wrist this year? It may very likely be one of…

2 days ago

Consider these SD-WAN technologies for faster, more reliable networking

As virtualization becomes a major part of organizations’ infrastructure, these SD-WAN technologies provide faster and more reliable networking solutions.

2 days ago