[BreachExchange] Royal Enfield database exposed personal info, including passwords and vehicle info, of 452k users; now secured

[Destry Winant]

https://www.medianama.com/2020/02/223-royal-enfield-data-breach/

Motorcyles company Royal Enfield exposed a database of at least
452,000 people in January 2020, which included their names, e-mail
IDs, phone numbers, encrypted passwords, vehicle-related information
and social media links, Bob Diachenko, cyber threat intelligence
director at securitydiscovery.com revealed on Twitter. The information
was of those customers who had created a profile on Royal Enfield’s
official website. MediaNama has seen a redacted copy of the kind of
information that Diachenko could access, courtesy the vulnerability on
Royal Enfield’s website. “I discovered 3 IPs with misconfigured
databases (i.e. set up without password/login) with what appears to be
Royal Enfield’s data,” he told MediaNama. We have reached out to Royal
Enfield for comment.

Information about ‘privileged users’ and RE dealers also exposed: In
his tweet, he also said that the exposed database also included
information about 1,470 “privileged users” and dealers. According to a
redacted copy of the data seen by MediaNama, email, password, name,
and phone numbers of “privileged users” of Royal Enfield was
compromised. Similarly, information related to at least 3,657 Royal
Enfield dealers, including their branch code, IDs, names, emails,
passwords, sales codes and online booking information was also
exposed, Diachenko told MediaNama.

The exposed details of customers, shared by Bob Diachenko with MediaNama

Information about ‘Privileged users’ shared by Bob Diachenko with MediaNama

Diachenko discovered the vulnerability on January 19, and alerted
Royal Enfield the same day. He told us that the database was secured
the next day. But the vulnerability could have existed for at least
two weeks before he finally discovered it, he pointed out. “They
[Royal Enfield] thanked me, asked for additional discussion over the
phone about the incident and disappeared from my radar, never replied
further on,” Diachenko recounted to MediaNama.

3,000 official government email IDs from ISRO, MEA, SEBI were
compromised: This vulnerability comes after it was reported that at
least 3,000 email IDs of officials belonging to government
organisations such as Indian Space Research Organisation (ISRO),
Bhabha Atomic Research Centre (BARC), Ministry of Corporate affairs,
Ministry of External Affairs, Atomic Energy Regulatory Board (AERB)
and Securities and Exchanges Board of India (SEBI), were compromised,
with their passwords available in plain text across various leaked
databases on the dark web.