The data leak was a result of misconfiguration in one of the company’s servers
The entire data was 259 GB in size and included photos, videos, personal details of the users
BabyChakra could have easily avoided exposing its customers’ data if it had taken some basic security measures, says VPNMentor
Mumbai-based online parenting platform BabyChakra exposed the data of its users — which includes parents and indirectly their children — due to a misconfiguration in one of its servers. The misconfiguration made over 5.5 Mn files, belonging to a few hundred thousand individuals, publicly accessible. The entire data is said to be 259 GB in size and includes photos, videos, personal details and other sensitive information of the users.
According to the research team at VPNMentor, led by Israeli security researcher Noam Rotem, the data bank included millions of photos and videos of BabyChakra’s users and some sensitive subjects like medical test results, prescriptions and more. Some of these photos were associated with the children and families of the affected users. The data was collected since the inception of the company in 2015.
The data also included over 35K invoices and 19.8K packaging slips from the purchases made through the BabyChakra website. Personally identifiable information (PII) such as full names, phone numbers, residential addresses and more of over 55K users, including minors, was exposed on the internet. The remainder of the files exposed 1.32 Lakh records relating to the company’s customers that were obtained by various sources like third-party applications.
VPNMentor discovered the issue within the BabyChakra platform on February 4, 2021. and had reported it to the company on February 9 after an initial investigation. However, the company did not respond to VPNMentor. The researchers once again reached out to BabyChakra on March 17, and also reported to Amazon Web Services separately on the same date. The bucket was found secured by the 26th April 2021.
“BabyChakra’s failure to adequately store and secure such a massive amount of data has significant implications for its customers — and the company itself,” the researchers said in a blog post. Potential impact of this data dump exposure could include fraud and identity theft, physical theft, predatory activity and so on.
“BabyChakra could have easily avoided exposing its customers’ data if it had taken some basic security measures,” researchers at VPNMentor added, saying that the company should have secured its servers, implemented proper access rules and never left a system that did not require authentication to open on the internet.
Last year, UK-based cybersecurity researcher Roni Suchowski had discovered a similar data leak by Gurugram-based online school management platform Skolaro. Skolaro had exposed data belonging to over 50K students studying in around 100 Indian schools, their parents as well as teachers, after storing its database in unsecured servers.
It also had over 130K user ID and passwords which were lying unprotected on the database. Each of these user names belonged to an existing or former user of Skolaro’s platform, and Suchowski said that anyone with basic knowledge of web development could easily take a look at the database.
The database contained usernames, passwords, age, blood group, religion, address, admission number, school name, date of birth, grades, profile image among other details. It also contained the medical history of some students, making it ripe for identity theft and other acts of crime.