Yes Madam, an Indian at-home salon platform, recently exposed sensitive data of its customers and gig workers due to a server-side misconfiguration. The Noida-based startup operates in over 30 cities in the country and offers salon services at home, including therapies, massage, spa, and male grooming. Yes Madam’s mobile apps have also attracted over a million downloads.
However, the startup left a database containing full names, mobile numbers, mailing addresses, and email addresses of hundreds of thousands of Yes Madam customers connected to the internet without a password since at least February 20. The database also included customers’ location data, including their latitude and longitude values, as well as payment links and user device details, such as the model names and IMEI numbers.
Moreover, the startup exposed profile images, names, and mobile numbers of gig workers on the platform. Security researcher Anurag Sen of CloudDefense.ai found the exposed database and asked TechCrunch to help report it to the startup. Anyone familiar with the database’s IP address could access the spilling data due to the misconfiguration using just their web browser. Sen said the database had entries of more than 900,000 users.
Yes Madam secured the database on Friday, shortly after TechCrunch reached out with details. Yes Madam co-founder Mayank Arya confirmed to TechCrunch that it had put in place a fix. When asked if Yes Madam had the technical means, such as logs, to determine whether the exposed data was accessed by anyone else, Arya did not comment further.
Sen also informed India’s computer emergency response team CERT-In, the lead agency for handling cybersecurity issues in the country, about the data exposure. This incident highlights the importance of proper security measures and the need for companies to take responsibility for protecting their customers’ data. At FLD Magazine, we believe that startups and businesses must prioritize cybersecurity to prevent such incidents from happening in the future.
In what could be a major blow to data privacy, Indian startup Yes Madam has reportedly suffered a massive data breach, resulting in the exposure of sensitive customer and gig worker information. According to reports, the breach has affected over 80,000 customers and 6,000 gig workers.
The breach was first reported by cybersecurity researchers, who discovered a publicly accessible database containing a trove of sensitive information such as customer names, phone numbers, email addresses, home addresses, and GPS coordinates. Additionally, the researchers found that the database contained confidential information about gig workers, such as their Aadhaar ID numbers, bank account details, and vehicle registration numbers.
The breach is said to have occurred due to the company’s failure to secure its servers adequately. The database was left unprotected and accessible, providing a potential avenue for cybercriminals to exploit the sensitive information of customers and gig workers. The incident is a stark reminder of the importance of data privacy and the need for businesses to invest in robust cybersecurity measures.
In response to the breach, Yes Madam issued a statement acknowledging the incident and apologizing for the inconvenience caused to customers and gig workers. The startup also said that it has taken immediate steps to investigate the matter and secure its systems, and it has notified the relevant authorities.
The Indian government has also taken notice of the breach and has asked the National Cyber Security Coordinator to investigate the incident. The incident underscores the need for stronger data protection laws in India, as well as greater awareness among businesses regarding data security best practices.
The consequences of data breaches can be severe, including financial loss, reputational damage, and legal consequences. Customers and gig workers affected by the Yes Madam data breach are urged to take necessary precautions, such as monitoring their bank accounts and credit reports, and reporting any suspicious activity or transactions.
The Yes Madam data breach serves as a reminder that no business is immune to cyber threats. Companies of all sizes need to invest in proper cybersecurity measures to safeguard their customers’ and stakeholders’ sensitive information. Additionally, the government and regulatory bodies need to enforce strong data protection laws to ensure that businesses are held accountable for their data security practices.