The Indian at-home salon platform Yes Madam was exposed for storing the sensitive data of its customers and gig workers due to a server-side misconfiguration. The incident shows the critical importance of securely storing customer data, especially in environments where it is accessed by multiple users.
Yes Madam is a technology-based salon, operating in over 30 cities in India. The services include therapies, massage, spa and male grooming. Yes Madam’s mobile apps have been downloaded over one million times.
The startup’s database of customer personal information exposed includes full names, mobile numbers, mailing addresses, and email addresses. Additionally, the data also included customers’ location data–including their latitude and longitude values—as well as payment links and user device details.
The gig economy is a time-honored way for people to earn a supplemental income. But one startup has exposed the personal information of its workers, leading to allegations of exploitation. The startup, which provides work-from-home gigs, published profile images, names and mobile numbers of its workers on its website. Critics say the exposed data leaves gig workers vulnerable to predators and could lead to them being
TechGround reached out to CloudDefense.ai to report an exposed database and exposed user data. CloudDefense.ai is a startup that provides security research services, so this was a major concern for the company. Sen immediately notified the startup of the potential security threat and worked with them to secure their database and protect their users’ data
The misconfiguration of the database led to all 900,000 user data being made available online. This information could be accessed by anyone familiar with the database’s IP address, which is likely due to the lax security measures taken when configuring the database.
TechGround reached out to Madam after noticing a security flaw in their database that could have allowed unauthorized individuals full access to the data. After Madam confirmed the vulnerability and put in place a fix, TechGround assured them that they were taking all necessary measures to protect their data.
A possible explanation for why Arya did not comment further on whether Yes Madam had the technical means to determine whether any data was accessed by anyone else would be if they found that no information was accessed and therefore there would be no need to investigate further. If the data did in fact get leaked, then it is possible that someone outside of Yes Madam compromised their systems in order to gain access to this information.
The data exposure was troubling to Sen, as it could have allowed hackers easy access to personal information of Indians. In order to prevent such incidents from happening in the future, he informed India’s computer emergency response team CERT-In about the data exposure. This way, they can be better prepared should a similar incident happen again.