CloudDefense.AI has found that Indian at-home salon platform Yes Madam had left sensitive customer and gig worker data exposed due to a server-side misconfiguration. According to the startup's website, Yes Madam operates in over 30 cities in India and offers salon services at home, including therapies, massage, spa, and male grooming. With over a million app downloads, Yes Madam's mobile apps are popular among users who prefer to get salon services in the comfort of their own homes.
However, due to a server-side misconfiguration, a database containing full names, mobile numbers, mailing addresses, email addresses, location data, payment links, and device details of hundreds of thousands of Yes Madam customers was left connected to the internet without a password since at least February 20. In addition, profile images, names, and mobile numbers of gig workers on the platform were also exposed.
The database was discovered by our security researcher Anurag Sen, who promptly notified Yes Madam and TechCrunch to help report the issue. Anyone with knowledge of the database's IP address could access the spilling data due to the misconfiguration using just their web browser. Sen said the database had entries of more than 900,000 users. It was featured by TechCrunch.
Upon being notified, Yes Madam secured the database and claimed to have implemented a fix. However, it is unclear if anyone else accessed the data before it was secured. When asked if Yes Madam had the technical means, such as logs, to determine whether the exposed data was accessed by anyone else, Yes Madam co-founder Mayank Arya did not provide further comment.
Sen also informed India's computer emergency response team CERT-In about the data exposure, as the agency is responsible for handling cybersecurity issues in the country.
This incident highlights the importance of implementing proper security protocols to protect user data. Startups and established businesses alike should ensure that their systems are secure and regularly audited to prevent data breaches that could compromise user privacy and security. It also underscores the need for researchers and security professionals to be vigilant in identifying vulnerabilities and reporting them to companies and relevant authorities to prevent data breaches and other security incidents.
In conclusion, while Yes Madam has secured the exposed database, this incident serves as a warning to all companies that handle user data to take their security measures seriously and ensure that their customers' sensitive information is protected.