Tap30 ride-hailing app experiences major data leaks

As reported on the blog Security Discovery, the popular Iranian taxi app Tap30 is reeling from a breach of its database. The security consultant Bob Diachenko discovered the data leak while doing an audit of NoSQL databases. He noticed that the database had been publicly exposed for at least three days and had compromised the information of Tap30 drivers and other "unique records." In total the database leak jeopardized the personal data of 300,000 drivers, and though the database is now secure, this is a frightening fact undoubtedly for drivers in the employ of Tap30.

While Diachenko insists in an interview with Kaspersky Lab that "there is no evidence that the data was abused" that the leak was an “isolated incident," it still is worth noting what was exposed for the sake of the drivers. The exposed information about Tap30 drivers includes their full names, their Social Security Organization number (found in plain text), their phone number, and invoice dates (which total in the millions). To their credit, Tap30 did secure the database as soon as they were notified by Bob Diachenko, but it still is unacceptable that this incident occurred in the first place.

As Diachenko explains in his blog post, however, these sorts of breaches are incredibly easy to cause for the type of database involved:

Danger of having exposed MongoDB or similar NoSql databases is huge. I have previously reported that the lack of authentication allowed the installation of malware or ransomware on the MongoDB servers. The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.

Thankfully, the damage seems to have been mitigated, but next time the company and its employees might not be so lucky.

Featured image: Flickr/Jon’s Pics

Derek Kortepeter

Derek Kortepeter is a graduate of UCLA and tech journalist that is committed to creating an informed society with regards to Information Security. Kortepeter specializes in areas such as penetration testing, cryptography, cyber warfare, and governmental InfoSec policy.

Share
Published by
Derek Kortepeter

Recent Posts

IoT device security and the impact on remote working

Remote working has expanded the time that employees' IoT devices spend on the same network…

5 hours ago

Restoring reputation and customer trust after a data breach

Managing the aftermath of a data breach is ultimately about winning customer trust and restoring…

3 days ago

Virtualization host maintenance: Defining servicing windows for your VMs

As it is with all IT environments, virtualization hosts maintenance can be disruptive. Using servicing…

3 days ago

4 startups bringing artificial intelligence to your apps

Artificial intelligence is hot as it moves from high-tech concept to real-world applications. Innovative startups…

4 days ago

Why so many companies are jumping on the Microsoft Teams bandwagon

Microsoft Teams surged as COVID-19 forced companies to switch to a work-from-home model. Here’s why…

4 days ago

How to manage log files in Exchange server: Step-by-step guide

Sponsored by Stellar Data RecoveryExchange Server generates lots of log files — which take up…

4 days ago