[BreachExchange] Obike becomes latest victim of global data breach

Audrey McNeil audrey at riskbasedsecurity.com
Thu Dec 7 18:35:26 EST 2017


https://www.cnet.com/news/yellow-bike-sharing-firm-is-
new-victim-of-global-data-breach/

Are you riding one of those yellow bikes on the streets of Singapore,
Sydney or London? Some of your personal information may have been accessed.

Obike suffered a global security breach that lasted at least two weeks,
Bavarian Radio reported. User information including names, contacts,
profile photos and location was leaked and made accessible online.

The specific time of the breach is unknown, although security experts in
Taiwan said they discovered the leak in June, but got no response from
Obike. It impacts people around the world, with the Singapore-based company
having expanded to several cities in the Asia Pacific, Europe and UK.

"We were made aware of the issue, and worked quickly to resolve it
immediately," an Obike spokesperson told CNET.  "This only affected a small
handful of our users. The personal data that was exposed was limited to
user names, email addresses and mobile numbers. The app does not store
credit card details or passwords of users."

The security flaw "stemmed from a gap in our [application programming
interface] that allowed users to refer a friend to our platform," the
spokesperson said. That API has now been disabled, and extra security
layers added on top.

Obike is a bike-sharing platform that offers riders an afforable last-mile
solution. It uses a dockless system, which means bikes can be picked up off
the streets (download its app and scan the lock to use the bike) and left
at any public bike-parking area. It's not the only bike-sharing service
available; Chinese bike-sharing giants include Ofo and Mobike, whose
combined value is estimated to cross $4 billion.

It comes a week after Uber made headlines for having paid hackers $100,000
to delete the information stolen from 57 million Uber drivers and riders
globally last October. A 20-year-old Florida man is thought to have been
behind Uber's hack, it was reported on Wednesday.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171207/1a4d8087/attachment.html>


More information about the BreachExchange mailing list