Security breaches have become a grave concern for both individuals and businesses. CloudDefense.AI has found that Indian at-home salon platform Yes Madam had left sensitive customer and gig worker data exposed due to a server-side misconfiguration. According to the startup’s website, Yes Madam operates in over 30 cities in India and offers salon services at home, including therapies, massage, spa, and male grooming. With over a million app downloads, Yes Madam’s mobile apps are popular among users who prefer to get salon services in the comfort of their own homes.
Understanding the Breach
The Scope of the Data Exposure
The breach at Yes Madam has cast a shadow of uncertainty over the personal information of nearly a million individuals. Customer data, including names, contact information, and service histories, have been compromised. Additionally, sensitive financial information and personal identification data have also been exposed, raising concerns about potential identity theft and financial fraud.
Server-side Misconfiguration
However, due to a server-side misconfiguration, a database containing full names, mobile numbers, mailing addresses, email addresses, location data, payment links, and device details of hundreds of thousands of Yes Madam customers was left connected to the internet without a password since at least February 20. In addition, profile images, names, and mobile numbers of gig workers on the platform were also exposed.
How CloudDefense.AI Detected the Breach
The database was discovered by our security researcher Anurag Sen, who promptly notified Yes Madam and TechCrunch to help report the issue. Anyone with knowledge of the database’s IP address could access the spilling data due to the misconfiguration using just their web browser.Anurag Sen said the database had entries of more than 900,000 users. It was featured by TechCrunch.
Upon being notified, Yes Madam secured the database and claimed to have implemented a fix. However, it is unclear if anyone else accessed the data before it was secured. When asked if Yes Madam had the technical means, such as logs, to determine whether the exposed data was accessed by anyone else, Yes Madam co-founder Mayank Arya did not provide further comment.
Sen also informed India’s computer emergency response team CERT-In about the data exposure, as the agency is responsible for handling cybersecurity issues in the country.
This incident highlights the importance of implementing proper security protocols to protect user data. Startups and established businesses alike should ensure that their systems are secure and regularly audited to prevent data breaches that could compromise user privacy and security. It also underscores the need for researchers and security professionals to be vigilant in identifying vulnerabilities and reporting them to companies and relevant authorities to prevent data breaches and other security incidents.
Conclusion
While Yes Madam has secured the exposed database, this incident serves as a warning to all companies that handle user data to take their security measures seriously and ensure that their customers’ sensitive information is protected.
As individuals, it’s crucial to be cautious about sharing personal information online and to choose service providers that prioritize data security. In the digital age, the responsibility for data protection falls on both companies and consumers.
Related Articles:
- CloudDefense.AI exposes security flaw in breast pump company’s data storage, leaving millions of documents at risk
- CloudDefense.AI Discovers Unsecured Database of a Higher Education Social Platform, Exposing Sensitive Personal Data of Millions
Abhishek Arora, a co-founder and Chief Operating Officer at CloudDefense.AI, is a serial entrepreneur and investor. With a background in Computer Science, Agile Software Development, and Agile Product Development, Abhishek has been a driving force behind CloudDefense.AI’s mission to rapidly identify and mitigate critical risks in Applications and Infrastructure as Code.
