Parenting Platform BabyChakra Exposes 5.5 Mn Files Carrying Data Of Parents, Children

Parenting Platform BabyChakra Exposes 5.5 Mn Files Carrying Data Of Parents, Children

SUMMARY

The data leak was a result of misconfiguration in one of the company’s servers

The entire data was 259 GB in size and included photos, videos, personal details of the users

BabyChakra could have easily avoided exposing its customers’ data if it had taken some basic security measures, says VPNMentor

Mumbai-based online parenting platform BabyChakra exposed the data of its users — which includes parents and indirectly their children — due to a misconfiguration in one of its servers. The misconfiguration made over 5.5 Mn files, belonging to a few hundred thousand individuals, publicly accessible. The entire data is said to be 259 GB in size and includes photos, videos, personal details and other sensitive information of the users.

According to the research team at VPNMentor, led by Israeli security researcher Noam Rotem, the data bank included millions of photos and videos of BabyChakra’s users and some sensitive subjects like medical test results, prescriptions and more. Some of these photos were associated with the children and families of the affected users. The data was collected since the inception of the company in 2015.

The data also included over 35K invoices and 19.8K packaging slips from the purchases made through the BabyChakra website. Personally identifiable information (PII) such as full names, phone numbers, residential addresses and more of over 55K users, including minors, was exposed on the internet. The remainder of the files exposed 1.32 Lakh records relating to the company’s customers that were obtained by various sources like third-party applications.

VPNMentor discovered the issue within the BabyChakra platform on February 4, 2021, and had reported it to the company on February 9 after an initial investigation. However, the company did not respond to VPNMentor. The researchers once again reached out to BabyChakra on March 17, and also reported to Amazon Web Services separately on the same date. The bucket was found secured by the 26th April 2021.

“BabyChakra’s failure to adequately store and secure such a massive amount of data has significant implications for its customers — and the company itself,” the researchers said in a blog post.

The potential impact of this data dump exposure could include fraud and identity theft, physical theft, predatory activity and so on.

“BabyChakra could have easily avoided exposing its customers’ data if it had taken some basic security measures,” researchers at VPNMentor added, saying that the company should have secured its servers, implemented proper access rules and never left a system that did not require authentication to open on the internet.

BabyChakra, in a statement, said that it did reach out to VPNMentor on April 28 to understand other potential risks they might have discovered. The company emphasised no financial or credit card details were at risk. Besides this, all passwords, personal chats, group chats and consultations between the users and experts were also fully secure, according to the company’s claim.

To avoid any vulnerabilities in the future, BabyChakra will add a three-tier review process on any feature that goes into production and will also conduct quarterly security audits. “We will be further tightening our network security with the help of an outside, third party expert accredited security agency,” the company said.

BabyChakra’s founder Naiyya Saggi, in a conversation with Inc42, emphasised that this wasn’t a data leak and majority of the data in the bucket was publicly available, including the content created by BabyChakra. She also noted that the vulnerabilities would impact, at most, 60K individuals, not a ‘few hundred thousand’, as highlighted by VPNMentor. “Information shared by users in our public forums was in this S3 bucket. Our expert consultation data and personal/group chats data is stored separately and is secure. Please note no minors are allowed to register on our platform and we solicit no data from minors. We do not and never have captured names, phone number, addresses and financial information from minors,” She added.

Launched in February 2015 by Harvard Business School and McKinsey alumnus Naiyya Saggi, BabyChakra counts Equanimity Ventures Fund, RoundGlass Partners, Artha Ventures, among others as its investors. The company was also part of Google Launchpad Accelerator.

Last year, UK-based cybersecurity researcher Roni Suchowski had discovered a similar data leak by Gurugram-based online school management platform Skolaro. Skolaro had exposed data belonging to over 50K students studying in around 100 Indian schools, their parents as well as teachers, after storing its database in unsecured servers.

It also had over 130K user ID and passwords which were lying unprotected on the database. Each of these user names belonged to an existing or former user of Skolaro’s platform, and Suchowski said that anyone with basic knowledge of web development could easily take a look at the database.

The database contained usernames, passwords, age, blood group, religion, address, admission number, school name, date of birth, grades, profile image among other details. It also contained the medical history of some students, making it ripe for identity theft and other acts of crime.

Update: May 13, 2021 | 11:49 PM

The article has been updated to include inputs from BabyChakra

You have reached your limit of free stories
Become An Inc42 Plus Member

Become a Startup Insider in 2024 with Inc42 Plus. Join our exclusive community of 10,000+ founders, investors & operators and stay ahead in India’s startup & business economy.

2 YEAR PLAN
₹19999
₹7999
₹333/Month
UNLOCK 60% OFF
Cancel Anytime
1 YEAR PLAN
₹9999
₹4999
₹416/Month
UNLOCK 50% OFF
Cancel Anytime
Already A Member?
Discover Startups & Business Models

Unleash your potential by exploring unlimited articles, trackers, and playbooks. Identify the hottest startup deals, supercharge your innovation projects, and stay updated with expert curation.

Parenting Platform BabyChakra Exposes 5.5 Mn Files Carrying Data Of Parents, Children-Inc42 Media
How-To’s on Starting & Scaling Up

Empower yourself with comprehensive playbooks, expert analysis, and invaluable insights. Learn to validate ideas, acquire customers, secure funding, and navigate the journey to startup success.

Parenting Platform BabyChakra Exposes 5.5 Mn Files Carrying Data Of Parents, Children-Inc42 Media
Identify Trends & New Markets

Access 75+ in-depth reports on frontier industries. Gain exclusive market intelligence, understand market landscapes, and decode emerging trends to make informed decisions.

Parenting Platform BabyChakra Exposes 5.5 Mn Files Carrying Data Of Parents, Children-Inc42 Media
Track & Decode the Investment Landscape

Stay ahead with startup and funding trackers. Analyse investment strategies, profile successful investors, and keep track of upcoming funds, accelerators, and more.

Parenting Platform BabyChakra Exposes 5.5 Mn Files Carrying Data Of Parents, Children-Inc42 Media
Parenting Platform BabyChakra Exposes 5.5 Mn Files Carrying Data Of Parents, Children-Inc42 Media
You’re in Good company