Bykea responds regarding reported vulnerability by Safety Detectives

UPDATED to include Bykea’s statement:

Safety Detectives is a team of online security experts and as ethical hackers reported a vulnerability on one of Bykea’s backup logging nodes in November 2020. The company had attracted interest after a public hacking incident on Aug 31st when Bykea’s database was deleted and it took 24 hours to recover a downtime.

Representatives from Bykea were in touch with Safety Detectives who then helped the security team at Bykea solve the vulnerability. Unlike what bloggers in the aftermath of the article on Safety Detectives’ site inferred, this was a vulnerability identification, not a breach of stolen data for criminal purposes. The citation of 400 million files mostly comprises millions of GPS pinpoints that Bykea solicits in tracking over a two-week period in 2020 and drivers can be rest assured that national ID data is encrypted now on Bykea. Bykea has been on a hiring spree since middle of 2020, bolstering the engineering team as well as specifically adding dedicated security resources to recognize the importance of this function.

Information security is a crucial function and protecting consumer information is a key activity in building trust for rapidly growing digital companies like Bykea” said Muneeb Maayr who went on to say: “Security researchers and teams like Safety Detectives play a crucial role in creating awareness and helping companies all around the world identify and plug their weaknesses, a contribution Bykea explicitly welcomes.

Bykea had engaged a multitude of security companies including SecurityWall that ran pen tests on Bykea’s infrastructure and a vulnerability disclosure program with HackerOne. The company is exploring ways to build ongoing collaborations with ethical hackers to advance their mutual interests of building a secure digital economy protecting personal information while empowering consumers with new services and digitally enabled value propositions. More details on Bykea’s vulnerability disclosure and bug bounty program can be found here: bykea.com/security

Original article below:

Bykea, a renowned bike-hailing application in Pakistan has suffered a massive security breach which has allegedly affected its extensive database.

According to a report published by Safety Detectives, Bykea has seemingly exposed more than 200 gigabytes worth of data. This data includes more than 400 million records of customers which includes their name, addresses, payment information, and other highly personal and sensitive data. This elastic server vulnerability was discovered during a routine a routine IP-address check.

Apparently, the researchers found the link to be extremely easy to hack in to as no password protection was or encryption of any kind was used; anyone with possession of the IP-address of the server could access the database and remove or manipulate its data.

An example data which was retrieved from the server from a customer perspective is given below:

• Full names
• Phone numbers
• Email addresses

Whereas drivers information was not safe from the breach either. Given below is the information that was retrieved:

• Full names
• Phone numbers
• Address
• CNIC (Computerised National Identity Card)
• Driver license numbers, issuing city and expiry dates
• Body temperature

This is not the first time Bykea is on the forefront of a privacy breach, in September 2020, hackers had access to the ENTIRE database of Bykea users and deleted the entire data. Bykea responded by simply saying that the company was keeping regular backups so its services remained unaffected. However several breaches in the same server and exposing sensitive information such as location data and phone numbers is something to be really concerned of.

We have reached out to Bykea for a statement regarding this breach and will update this space accordingly.

Source: Safety Detectives

Hamnah Khalid also contributed to this article.