Mumbai-based online parenting platform BabyChakra exposed the data of its users — which includes parents and indirectly their children — due to a misconfiguration in one of its servers. The misconfiguration made over 5.5 Mn files, belonging to a few hundred thousand individuals, publicly accessible. The entire data is said to be 259 GB in size and includes photos, videos, personal details and other sensitive information of the users.
According to the research team at VPNMentor, led by Israeli security researcher Noam Rotem, the data bank included millions of photos and videos of BabyChakra’s users and some sensitive subjects like medical test results, prescriptions and more. Some of these photos were associated with the children and families of the affected users. The data was collected since the inception of the company in 2015.
The data also included over 35K invoices and 19.8K packaging slips from the purchases made through the BabyChakra website. Personally identifiable information (PII) such as full names, phone numbers, residential addresses and more of over 55K users, including minors, was exposed on the internet. The remainder of the files exposed 1.32 Lakh records relating to the company’s customers that were obtained by various sources like third-party applications.
VPNMentor discovered the issue within the BabyChakra platform on February 4, 2021, and had reported it to the company on February 9 after an initial investigation. However, the company did not respond to VPNMentor. The researchers once again reached out to BabyChakra on March 17, and also reported to Amazon Web Services separately on the same date. The bucket was found secured by the 26th April 2021.
“BabyChakra’s failure to adequately store and secure such a massive amount of data has significant implications for its customers — and the company itself,” the researchers said in a blog post.
The potential impact of this data dump exposure could include fraud and identity theft, physical theft, predatory activity and so on.
“BabyChakra could have easily avoided exposing its customers’ data if it had taken some basic security measures,” researchers at VPNMentor added, saying that the company should have secured its servers, implemented proper access rules and never left a system that did not require authentication to open on the internet.
BabyChakra, in a statement, said that it did reach out to VPNMentor on April 28 to understand other potential risks they might have discovered. The company emphasised no financial or credit card details were at risk. Besides this, all passwords, personal chats, group chats and consultations between the users and experts were also fully secure, according to the company’s claim.
To avoid any vulnerabilities in the future, BabyChakra will add a three-tier review process on any feature that goes into production and will also conduct quarterly security audits. “We will be further tightening our network security with the help of an outside, third party expert accredited security agency,” the company said.
BabyChakra’s founder Naiyya Saggi, in a conversation with Inc42, emphasised that this wasn’t a data leak and majority of the data in the bucket was publicly available, including the content created by BabyChakra. She also noted that the vulnerabilities would impact, at most, 60K individuals, not a ‘few hundred thousand’, as highlighted by VPNMentor. “Information shared by users in our public forums was in this S3 bucket. Our expert consultation data and personal/group chats data is stored separately and is secure. Please note no minors are allowed to register on our platform and we solicit no data from minors. We do not and never have captured names, phone number, addresses and financial information from minors,” She added.
Launched in February 2015 by Harvard Business School and McKinsey alumnus Naiyya Saggi, BabyChakra counts Equanimity Ventures Fund, RoundGlass Partners, Artha Ventures, among others as its investors. The company was also part of Google Launchpad Accelerator.
Last year, UK-based cybersecurity researcher Roni Suchowski had discovered a similar data leak by Gurugram-based online school management platform Skolaro. Skolaro had exposed data belonging to over 50K students studying in around 100 Indian schools, their parents as well as teachers, after storing its database in unsecured servers.
It also had over 130K user ID and passwords which were lying unprotected on the database. Each of these user names belonged to an existing or former user of Skolaro’s platform, and Suchowski said that anyone with basic knowledge of web development could easily take a look at the database.
The database contained usernames, passwords, age, blood group, religion, address, admission number, school name, date of birth, grades, profile image among other details. It also contained the medical history of some students, making it ripe for identity theft and other acts of crime.
Update: May 13, 2021 | 11:49 PM
The article has been updated to include inputs from BabyChakra