Iranian Ride-Hailing App Exposed Drivers’ Information Via Unsecured Database

Another MongoDB instance exposed million of records carrying sensitive information. As discovered, the unsecured database linked back to an Iranian ride-hailing app. The leaked records included personal information of Iranian drivers.

Data Leaked By Iranian Ride-Hailing App

Researcher Bob Diachenko has once again come across a leaky database that exposed the personal information of millions of individuals. As reported, the unsecured database from an Iranian ride-hailing app left the data of Iranian drivers publicly accessible online. Diachenko stated about his findings in detail in his blog post.

Allegedly, he found the publicly accessible MongoDB instance via BinaryEdge search engine during a regular audit for nonSql databases. He noticed the leaked details included sensitive information about the drivers such as drivers’ names, contact numbers, invoice date, and SSN (Iranian ID number).

The unsecured database entitled “doroshke-invoice-production” contained two collections. One of these, named ‘invoice95’ had 740,952 records from the year 2017. Whereas, the other collection, named ‘invoice96’ contained 6,031,317 records from 2018. In all, this makes the total data put at risk up to 6,772,269 records. After removing the duplicate entries, Diachenko estimated the actual unique data to be around 1 to 2 million.

Database Now Secured

Initially, Diachenko couldn’t establish the owner of the database, since the leaked details had no hint about the company affiliation. Nonetheless, he did report the matter to the Iranian CERT for necessary action.

Bob Diachenko found the unsecured database on April 18, 2019. Later that day, he confirmed in his tweet that the then unidentified vendors secured the database.

In another tweet the following day, Diachenko revealed that the data belonged to Tap30 – one of the leading Iranian ride-hailing services.

Let us know your thoughts about the article in the comments section below.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients