As reported on the blog Security Discovery, the popular Iranian taxi app Tap30 is reeling from a breach of its database. The security consultant Bob Diachenko discovered the data leak while doing an audit of NoSQL databases. He noticed that the database had been publicly exposed for at least three days and had compromised the information of Tap30 drivers and other "unique records." In total the database leak jeopardized the personal data of 300,000 drivers, and though the database is now secure, this is a frightening fact undoubtedly for drivers in the employ of Tap30.
While Diachenko insists in an interview with Kaspersky Lab that "there is no evidence that the data was abused" that the leak was an “isolated incident," it still is worth noting what was exposed for the sake of the drivers. The exposed information about Tap30 drivers includes their full names, their Social Security Organization number (found in plain text), their phone number, and invoice dates (which total in the millions). To their credit, Tap30 did secure the database as soon as they were notified by Bob Diachenko, but it still is unacceptable that this incident occurred in the first place.
As Diachenko explains in his blog post, however, these sorts of breaches are incredibly easy to cause for the type of database involved:
Danger of having exposed MongoDB or similar NoSql databases is huge. I have previously reported that the lack of authentication allowed the installation of malware or ransomware on the MongoDB servers. The public configuration allows the possibility of cybercriminals to manage the whole system with full administrative privileges. Once the malware is in place criminals could remotely access the server resources and even launch a code execution to steal or completely destroy any saved data the server contains.
Thankfully, the damage seems to have been mitigated, but next time the company and its employees might not be so lucky.
Featured image: Flickr/Jon’s Pics