Once again, an Indian firm serving more than a million customers has inadvertently leaked huge records online. According to researchers, the firm Jiva Ayurveda exposed over a million user records with details of thousands of orders’ through an unsecured database. The researchers tried to reach out to the company, however received no response, after which they contacted us at LHN.
Jiva Ayurveda Exposed Explicit Personal Records
Reportedly, two security researchers, Suraj Malhotra and Himanshu Gangwani have found a leaky database instance. As discovered, the unsecured database belonging to an Indian medicine company Jiva Ayurveda exposed 1.2 million user records with 300,000 order details.
The researchers shared their findings directly with LHN after they found this unprotected Elastic database. Upon scratching the surface, they could establish the link of the database to Jiva Ayurveda which has dealt with more than 1.5 million patients as claimed on their website. Considering this figure, it seems the database had details of a vast majority of Jiva Ayurveda patients that it left publicly accessible.
Regarding the leaked details, the researchers could easily view explicit personal information of the patients. This includes their names, gender, phone numbers, complete shipping address, customer IDs and patient IDs.
Moreover, the leaked details also include details order information of about over 300,000 orders placed on the company’s website. These details include order IDs, delivery status, tracking numbers, order price any discounts, date of creation, dispatch date, and others.
The researchers shared a sample of the leaked data with LHN, which contained information of about 5000 orders.
Commenting about the risks associated with this breach, the researchers told LHN,
“These details are very crucial as one can use them for impersonating, use their phone numbers for malicious purpose, spamming, phishing and spreading false information. Also, one could sell these details onto the dark web.”
No Fix Yet…!!!
The researchers found the open Elastic database a few days after it was added. They observed that the database remained open since June 6, 2019. After this discovery, they made numerous attempts to reach the company and inform them of the incident. Nonetheless, they could not receive any response from Jiva Ayurveda, after which, they contacted LHN. They stated the following:
“We tried contacting to company itself through the email provided by them on their website and also messaged them on Twitter but they didn’t respond to our query.”
Jiva Ayurveda is an Indian-based medicine company that aims at ‘taking Ayurveda to every home’. The company that started off in 1998 has served more than a million patients ‘across 1800 cities and towns India’, as claimed on their website. Having such broad coverage, it is indeed alarming that the firm has seemingly paid no attention to their database security.
Let us know your thoughts in the comments.