Top Uber rival leaks user and driver data online
Share:
Rapido was exposing a feedback archive online, putting users and drivers at risk. When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works. A major Indian ride-hailing platform was exposing sensitive user data thanks to a bug in one of its APIs.
![[Magnifying glass enlarging the word 'malware' in computer machine code]](https://vanilla.futurecdn.net/cyclingnews/media/img/missing-image.svg)
The flaw in Rapido's systems was discovered by security researcher Renganathan P, who claimed it stemmed from a website form designed to collect feedback from auto-rickshaw users and drivers. Auto-rickshaw is a three-wheeled vehicle, popular across India and many Asian countries.
Users that provided the feedback have had their sensitive information exposed to the public, including full names, email addresses, and phone numbers. The database has been seen by TechCrunch, which confirmed its authenticity. The data was supposed to be shared with a third-party service, used by Rapido, only, but the publication says the database counts more than 1,800 feedback responses, with a “large number” of driver phone numbers, and a “lesser number” of email addresses.
“This could have led to a big scam involving scammers or hackers, who may have ended up calling drivers and performing a large-scale social engineering attack, or simply these phone numbers and other data could have been exposed on the dark web if reached in the wrong hands,” Renganathan P said.
The publication subsequently reached out to Rapido, who locked down the database and prevented more unauthorized access. We don’t know if any malicious actors found this database in the past, or if the data was abused in the wild. Phone numbers and email addresses are vital in running phishing and identity theft scams.
