A major bug in India’s bike-taxi aggregator app Rapido caused sensitive personal information of thousands of users and drivers across the country to be leaked. The leaked information includes full names, phone numbers and email addresses, raising serious concerns about privacy and security.
Growing threat of data leaks and impact on Rapido
This data breach has highlighted the need for stronger data security measures to keep user information safe. Although the company has resolved the issue, the incident highlights the growing risks of data leaks in India’s rapidly growing digital economy.
How was the bug discovered?
This flaw was discovered by Indian security researcher Renganathan P. He identified an error in the feedback form on Rapido’s website. The form, which was used to collect feedback from auto-rickshaw users and drivers, was dependent on an API that was accidentally sharing sensitive information with an external third-party service.
Threats posed by data leaks
This leaked data posed serious risks, as cyber criminals could use this information to launch large-scale social engineering attacks or sell it on the dark web. The researcher warned that this data could lead to phishing scams or other malicious activities targeting users and drivers.
More than 1,800 feedback forms leaked
The bug caused more than 1,800 feedback forms, which contained sensitive information such as phone numbers and email addresses, to become publicly accessible. It also included the contact details of the drivers, further increasing the security risk.
How did Rapido act?
As soon as Rapido received information about this breach, Rapido responded immediately and made the leaked portal private. However, a company spokesperson downplayed the issue and claimed that the leaked data was “non-personal”. He attributed this to the survey link inadvertently reaching the wrong users.
Increasing incidents of data leaks in India
This incident comes on the heels of another data breach at McDonald’s India (West and South). In July, a bug in McDonald’s delivery system caused data from customers and delivery partners, including names, phone numbers and email addresses, to become public. That bug was fixed in late September.
Incidents like this show how important it is to prioritize data security in India’s rapidly growing digital services.