Records containing sensitive information on perhaps millions of Iranian drivers was left unsecured in a publicly available database for days, according to security research published Thursday.
More than 6.7 million records from 2017 and 2018 were estimated to be exposed in a database discovered by researcher Bob Diachenko. Information included drivers’ first and last names, their Iranian ID numbers stored in plain text, their phone numbers, and other data such as invoice information. The data is now secured, Diachenko told CyberScoop.
The actual number of people affected in the breach is likely less than 6.7 million, Diachenko explained, because the database contains multiple files referring to the same people.
Diachenko said the data originated with TAP30, an Iranian ride-hailing company. The database was never downloaded in full, he said, and was exposed for a limited period of time.
“[W]e can only guess if this data was part of their infrastructure,” he wrote in a post published Thursday. “However, no matter who owned it, the fact alone that such highly sensitive [personally identifiable information] was available in the wild for at least three days, is scary. Chances are also big that this data was previously stolen from either company and now resurfaced[.]”
Diachenko says he was able to contact some of the drivers included in the database, and that he has notified Iran’s Computer Emergency Response Team about the data exposure.
The records were stored in a MongoDB database that apprently didn’t require strong authentication. Researchers previously have discovered numerous vulnerabilities in MongoDB databases, which allow users to store vast quantities of information in a single place. Diachenko previously found personal data belonging to 202 million Chinese job seekers and, later, 24 million financial records.
Update 4/19/19 09:27am ET: This story was updated to note Diachenko’s confirmation Friday the data in in question originated with Tap30.