Jun 10, 2022 21:00:00

It is clear that more than 120,000 personal information such as passports and driver's licenses of share cycle service 'Mobike' users are disclosed online without being encrypted

In the past, the share cycle service '

Mobike ' from China, which was also provided in Japan, is stored online without encrypting more than 120,000 personal information of users such as passports and driver's licenses. It has become clear and is regarded as a problem.

One of those weird'no -one-to-blame' incidents exposing massive amount of users PII. Kudos to @zackwhittaker for following this until the end.

— Bob Diachenko (@MayhemDayOne) June 8, 2022

Bob Diachenko of Security Discovery , a cybersecurity research group, told TechCrunch that Mobike users' passports on an unprotected storage bucket hosted by Amazon on February 11, 2022. And he discovered that the driver's license data was stored. 'Anyone who knows the easily guessable bucket name of Mobike will be able to browse the pile of IDs uploaded to Mobike after 2017 from a web browser,' said Diachenko. I point out that.

It seems that ID data such as passports and driver's licenses that Mobike users are required to upload when using the service are stored on this bucket. The bucket also contains 94,000 'user selfies' that are required to be registered to authenticate the user ID, and 49,000 user signatures. Please note that most of the IDs found on the bucket are from Latin American users such as Argentina and Brazil, and all data on the bucket is unencrypted.

Mobike is a startup that started in Beijing, China in 2015, and was once a prosperous pioneer of share bike services in China. However, after that, the business was in a difficult situation, and in 2018 it was acquired by Meituan, a major on-demand service in China, and Mobike's international business was completely withdrawn. Since then, Mobike has rebranded its share bike business in China to 'Meituan Bike,' but has continued to work with local partners in regions such as Northeast Asia, Latin America and Europe.

But after Diachenko pointed out that the user's personal information was exposed unprotected, 'it seems like no one wants to take ownership or responsibility for the data,' TechCrunch reports. ..

A Meituan spokeswoman said, 'We sold Mobike's Latin American business in August 2019, so we have nothing to do with this issue.' It also does not disclose who bought Mobike's Latin American business because of a nondisclosure agreement. So, 'I can't know who to contact about this customer data issue,' TechCrunch said. However, most of the data stored in the buckets that remain public is said to be before August 2019 when Meituan sells Mobike's Latin American business.

In addition, it is unknown how long the user data on the bucket discovered by Mr. Diachenko has been left open, or when and how it was made public. Amazon's storage buckets are private by default, so it's possible that someone who can control the bucket has granted public access.