A popular US ride-hailing service has become the latest firm to publicly expose customer details after researchers found data on an estimated one million users of the service and thousands of drivers.
The privacy snafu came as a result of a misconfigured Apache Hive database at Uber-like company Fasten, which had been left open for end-user access, according to the Kromtech Security Center’s Bob Diachenko.
The exposed data apparently included names, email addresses, phone numbers, links to photos, IMEI numbers, car registration and license plate details, as well as notes on drivers.
Fasten appears to have reacted quickly to the incident, taking the database offline shortly after being informed.
Head of corporate comms, Jennifer Borgan, explained that the database in question was created on October 11 but the sensitive data was uploaded by a developer several days later.
“We can confirm it was exposed for a total period of 48 hours prior to deletion”, she told Kromtech.
“We have already taken steps to update our security protocols to ensure this does not happen again. In this instance, old production data was uploaded to the test cluster by mistake. Going forward, these processes will be managed only by security engineers with specific expertise in this area.”
Fasten operates in two US cities — Austin and Boston — and apparently claims that 50% of Boston’s rides-haring drivers and 90% of those in Austin use their service.
It follows a series of previous revelations from Kromtech and others about misconfigured cloud databases.
It’s believed that as many as four million Time Warner customers had their details exposed in this way, after a discovery by Kromtech back in September.
However, that pales in comparison to Tarte Cosmetics, where a misconfigured database exposed the details to ransom specialist group CRU3LTY.