Personal and Financial Data at Risk
If credit evaluation reports from the mobile loan apps weren’t bad enough, Anurag’s team also discovered 4.6 million unique entries of device data, including GPS locations, full lists of mobile contacts, SMS logs, IMSI numbers, IMEI numbers, device models and versions, stored app data from previous installations, and memory data (composition and content of mobile phone memory).
There are also entries for operator reports, transaction details, billing invoices (full names, phone numbers, monthly bill details, credit card details, debit card details, and call logs). MD5-hashed passwords that can be subsequently decoded have also been found.
Long-term Impact of the Leak
Since the private data leak involved almost every aspect of the users’ personal and digital lives, including IP addresses, GPS locations, and even durations of each online session, it would be easy for hackers to overtake people’s identities if they wanted to use the information for unscrupulous activities. The abuse of government-issued IDs, as well as risk management IDs and P2P data can have a severe, negative impact on people’s careers and financial future.
Furthermore, this data, if it has been downloaded by hackers, can easily be “packaged” and resold in the Dark Web to other hackers and hacking groups involved in credit fraud and identity theft in general.
Personal phone numbers can actually be replicated by hackers, and this can be used to gain access to everything that is linked to the said personal numbers, from email addresses to phone apps, and even smart home devices and software. Private photos can also be accessed in apps, phones, and cloud-based data services, furthering the potential of the data leak to ruin lives. There is currently no consensus if cyber criminals have gained access to the exposed data.
“Leaks like these are continuously happening because companies mismanage the server where they store the logs. It is a technical fault and a very silly one which can cause very serious damage to the company and its customers by leaving databases like this without password over the internet,” security researcher Anurag Sen stated.