The personal details of hundreds of thousands of Indians have recently been leaked, revealing details such as full names, birth dates, home addresses, national identity cards and more..
The data breach was uncovered by security sleuths and concerned users of CashMama, a now-defunct money lending platform based in India.. CashMama’s S3 bucket (a container of objects stored on Amazon’s cloud) was apparently left open, compromising the personal data of thousands of Indians.
The app in question is no longer operational, as it was shut down after an instant loan app scandal. Founded in Hyderabad in 2018, CashMama offered loans between ₹3,000 and ₹5,000 in minutes. Its operators were arrested in 2020 by Indian authorities for blackmail, harassment, coercion and financial fraud.
Using references to the company in the stored emails, security detectives were able to trace the bucket back to CashMama. What does this imply ? Quite simply, CashMama allowed its owners to spy on customers through mobile apps and related services..
What information has been disclosed?
According to Safety Detectives, over 6.5 million files were leaked through the misconfigured Amazon S3 bucket, totaling over 1TB of data. Sensitive customer data from at least four apps, including CashMama, LoanZone/Vayloan and MeraLoan, was compromised.
Read also : Apple and Meta Provided Sensitive User Data to Hackers Posing as Officials, Report Says
The latest of the Personally Identifiable Information (PII) leaked is extremely long, full names, birth dates, home addresses, parents’ names, occupations, email addresses, IFSC codes, bank account details, company, PAN numbers, photos, payment and location histories, and more.
Not just PII, even phone data including SMS data, contacts, device information, battery status and fingerprint data for Vayloan has been made public due to this data breach. “CashMama’s AWS S3 bucket contained nearly 650,000 SMS data files and nearly one million SMS and contact history files – the latter exposing phone-related data for over 350,000 customers,” said writes Safety Detectives.
The threats of such failures
There are a range of threats to those whose data was compromised in this breach. Identity theft, phishing, scams, fraud are just a few of the many concerns of users whose private information has been made public. Cybercriminals and malicious actors could use this information to open bank accounts in the person’s name to obtain loans and mortgages. “Victims could be left with the prospect of financial ruin,” the report said.
Read also : Paytm Payments Bank allegedly shared data with Chinese companies, claims RBI
It’s not that! People’s scraped SMS conversations could be used by hackers to blackmail customers until the victim pays a fee.
The open S3 bucket was discovered on November 11, 2021 and affects approximately 200-600,000 users, with a total of 6.5 million files exposed so far…with a total size of 1TB. CashMama was secured between January 11-13, 2022 after security sleuths contacted India’s Computer Emergency Response Team (CERT) and Amazon Web Services.
How can you stay safe?
Always check who you provide personal information to. Checking the veracity of an application and reading reviews is a good way to ensure the security of your data. Also, avoid disclosing identifying data, including government ID numbers and personal preferences, to actors.
Resist the urge to click on links that promise instant loans or more and check the security of the website (no https means no security). Keeping yourself informed about cybercrime and how criminals trick users into divulging sensitive information can go a long way in protecting your identity online.
Have you ever been the victim of phishing or scams? Share your thoughts with us in the comments below. For more in the world of Technology and Sciencekeep reading Indiatimes.com.