Indian parenting platform BabyChakra exposed data of its users — which includes parents and indirectly their children — to hacking due to a misconfiguration in one of its servers, according to researchers. The issue made over 5.5 million files publicly accessible. The researchers claimed that the files included millions of photos and videos of BabyChakra’s users and some of them even contained sensitive subjects, such as medical test results and prescriptions uploaded by the users on the platform. Some photos exposed are also said to be associated with the children and families of the affected users. Mumbai-based BabyChakra offers a social network to parents let them to discuss their problems with experts.
The research team at VPNMentor, led by Israeli security researcher Noam Rotem, discovered the issue within the BabyChakra platform in February and reported it to the company shortly after an initial investigation. It exposed private data of at least a few hundred thousand individuals, the researchers claimed. The exposed data included photos and videos of people using BabyChakra to get parenting advice and medical consultation on the platform, according to the researchers.
Update: BabyChakra has responded to Gadgets 360 with a statement claiming no financial data was affected. The full statement is reproduced at the end of the story.
In addition to the media content, the data included over 35,000 invoices and 19,800 packaging slips from the purchases made through the BabyChakra website. It exposed personally identifiable information (PII) of over 55,000 users, including minors, as per the researchers. The data is said to have carried full names, phone numbers, residential addresses, and purchase details of the affected users.
The remainder of the files exposed by BabyChakra included over 132,000 records relating to its customers that all were obtained from various sources, including third-party applications like Facebook. The entire data is said to be 259GB in size.
“BabyChakra’s failure to adequately store and secure such a massive amount of data has significant implications for its customers — and the company itself,” the researchers said in a blog post.
The VPNMentor team said they had first informed BabyChakra of the issue on February 9, though the company did not respond to them despite being contacted multiple times.
The researchers said that the data was found secured by the company on April 26, after which they informed Gadgets 360 about the data exposure on April 27.
But BabyChakra founder Naiyaa Saggi told Gadgets 360 that it did not find any vulnerabilities, and the misconfiguration issue was fixed after VPNMentor researchers reached out.
“We undertake security audits as soon as we receive any emails.” she said over email. “We have been in touch with VPNMentor, and they have also confirmed that there are no vulnerabilities exposed.”
She added that BabyChakra was also in the process of initiating quarterly security audits to protect against any such vulnerabilities in the future.
The VPNMentor researchers noted in its blog post that the exposed data and contact information could be used by cybercriminals and hackers for fraudulent activities, such as phishing campaigns, email frauds, identity and physical thefts, and malicious software attacks, among others.
Founded in 2015, BabyChakra is claimed to serve more than two million families a month through its platform for parenting guidance. Its app is touted to generate over five lakh pieces of content on a monthly basis and has more than 2,500 bloggers and influencers among its users.
Apart from offering services such as an online community and expert consultation, BabyChakra launched an online marketplace for pregnant women, infants, and new parents in 2018, and hired executives from popular Indian startups such as FreeCharge and Jabong.
Update: The full statement from BabyChakra:
At BabyChakra, security is a top priority. We undertake quarterly security audits to ensure user data is always safe and secure.
Recently a security research organisation reached out to BabyChakra highlighting an information security vulnerability. We looked into this and traced this vulnerability to the configuration of one of our Amazon S3 buckets (our media repository) which could lead to a potential exposure of a small subset of our customer data. On identifying the vulnerability, we took necessary and required steps to address the situation immediately.
On the 28th of April 2021, we got in touch with the security research organisation to understand if there were any other potential risks that they might have discovered.
They confirmed to us that the issue identified by us earlier was the only potential vulnerability and that it had already been secured.
Please note: No financial information or credit card details were at risk as part of this vulnerability since as a policy we do not store sensitive financial information. All passwords, personal chats, group chats & consultations between our users and experts were also fully secure.
To further ensure the possibility of no future vulnerabilities occurring and the off chance that they do, we are able to detect them at the earliest we have established the below:
- We are going to add a 3-tier review process on any feature that goes to production.
- Our quarterly security audits will be interspersed with frequent random checks.
- We will be further tightening our network security with the help of an outside, 3rd party expert accredited security agency
We at BabyChakra, take customer privacy very seriously and will continue to take all measures to protect the same strictly.