A Yes Madam database containing sensitive information of 900,000 customers was allegedly left connected to the internet
Yes Madam also exposed profile images, names and mobile numbers of gig workers working for the platform
The startup, founded in 2017 by Aditya and Mayank Arya, operates in more than 30 cities in India, according to its website
Inc42 Daily Brief
Stay Ahead With Daily News & Analysis on India’s Tech & Startup Economy
Noida-based at-home salon startup Yes Madam allegedly exposed the sensitive data of its customers and gig workers owing to a server-side misconfiguration.
According to security researcher Anurag Sen, a database containing full names, mobile numbers, email addresses, and physical addresses of hundreds of thousands of customers was allegedly left connected to the internet by Yes Madam without a password since at least February 20.
The database also allegedly contained some location data of customers, including their latitude and longitude values, along with user device details (model, make, IEMI numbers) and payment links. Further, Yes Madam also exposed profile images, names and mobile numbers of gig workers working for the platform.
According to Sen, the database had data entries of more than 900,000 users. The security researcher added that anyone with the database’s IP address could access the data due to the said misconfiguration using just their web browser.
Sen told Inc42 that he also informed the Indian Computer Emergency Response Team (CERT-In) about the data exposure.
TechCrunch reported that Yes Madam had secured the database on Friday (March 3), after it reached out to the startup’s cofounder Mayank Arya.
Inc42 has reached out to Yes Madam’s founding team and the story will be updated as and when they respond.
The startup, founded in 2017 by Aditya and Mayank Arya, operates in more than 30 cities in India, according to its website. Yes Madam has raised $100K in funding in its pre-seed round.
It offers at-home salon services, including massage, spa, therapies, hair treatments and male grooming services. Its app has also seen more than a million downloads.
The data breach at Yes Madam comes as Indian startups have been increasingly the target of cyberattacks. Over the past few months, companies such as Slick and RailYatri have suffered data breaches, exposing the data of millions of users in the process. Per a report by CERT-In, India saw around 13.91 Lakh reported cyberattacks in 2022.
However, these attacks were only the ones reported to CERT-In. A senior Google executive had said in August 2022 that India suffered as many as 1.8 Cr cyberattacks per day, potentially taking the total for the year to 21.6 Cr.
{{#name}}{{name}}{{/name}}{{^name}}-{{/name}}
{{#description}}{{description}}...{{/description}}{{^description}}-{{/description}}
.svg){kind=logo}
Note: We at Inc42 take our ethics very seriously. More information about it can be found here.