[BreachExchange] Urban Massage exposed a huge customer database, including sensitive comments on its creepy clients

Destry Winant destry at riskbasedsecurity.com
Wed Nov 28 09:15:28 EST 2018


https://techcrunch.com/2018/11/27/urban-massage-data-exposed-customers-creepy-clients/

Urban  Massage, a popular massage startup that bills itself as
providing “wellness that comes to you,” has leaked its entire customer
database.

The London, U.K.-based startup — now known as just Urban — left its
Google-hosted ElasticSearch database online without a password,
allowing anyone to read hundreds of thousands of customer and staff
records. Anyone who knew where to look could access, edit or delete
the database.

Security researcher Oliver Hough found the database through Shodan, a
search engine for exposed devices and databases, and told TechCrunch
of the exposure.

It’s not known how long the database was exposed or if anyone else had
accessed or obtained the database before it was pulled. It’s believed
that the database was exposed for at least a few weeks.

Urban pulled the database offline after TechCrunch reached out.

Chief executive Jack Tang said in a statement: “Urban is looking into
this as a matter of utmost urgency. We have informed the ICO and will
take all other appropriate action, including in relation to data and
communications.”

At the time of securing the database, the company had exposed more
than 309,000 user records, including names, email addresses and phone
numbers. Each record also had a unique referral code, allowing friends
to get discounted treatments.

We verified the data by contacting several users at random. One user,
who did not want to be named, said the data exposure was a “huge
violation” of her privacy.

The database also contained over 351,000 booking records, and more
than 2,000 records on Urban massage therapists, including their names,
email addresses and phone numbers.

That roughly amounts to similar figures reported by the company
earlier this month.

Among the records included thousands of complaints from workers about
their clients. The records included specific complaints — from account
blocks for fraudulent behavior, abuse of the referral system and
persistent cancelers. But, many records also included allegations of
sexual misconduct by clients — such as asking for “massage in genital
area” and requesting “sexual services from therapist.” Others were
marked as “dangerous,” while others were blocked due to “police
enquiries.” Each complaint included a customer’s personally
identifiable information — including their name, address and postcode
and phone number.

But from a cursory review of the data, the database didn’t contain
financial information — such as credit cards or individual account
passwords.

How the data came to be exposed remains a mystery, but the severity of
the data is serious — and the repercussions could be significant.
Because the company falls under the new European-wide GDPR rules,
Urban may face steep financial penalties of up to four percent of its
global annual revenue.

For a company that’s centered around bringing relaxation to the
masses, this breach will likely cause unnecessary stress for a lot of
people.


More information about the BreachExchange mailing list