OlaCabs Reportedly Hacked, Puts User Details and Credit Card History In Jeopardy [Updated]
Popular online cab aggregator OlaCabs has reportedly been hacked. The revelation comes from Reddit where a hacker group is claiming to possess the database structure of the taxi aggregator company which — as they claim — consists of sensitive information such as credit card transaction details, user information, and unused voucher codes.
The alleged hackers who go by the name “TeamUnknown” on Reddit have posted what appears to be the screenshots of the internal database structure of the company. The team further goes on to point out that OlaCabs’ servers were very weakly configured, making it easier for them to glean sensitive information such as customers’ credit card transaction history and unused vouchers from the database.
“Their Application design is very poor and their development server is weakly configured. The hack was a little tricky and involved many steps to get to the database. Once we got to the database it was like winning a lottery. It had all the user details along with credit card transaction history and unused vouchers,” the team writes. “The voucher codes are not even out yet. Its obvious that we wont be using credit card details and voucher codes.”
We have contacted the company for comments, but so far Ola seems clueless on the matter. It is yet to respond to our email, and one of its representatives disconnected the call after learning about the hack. If there has been a hack, this would be the second major security breach in the recent times. Two weeks ago, popular music streaming service Gaana.com also faced a security breach.
This isn’t the first time OlaCabs’ service has come under scrutiny for poor security. Earlier this year, two hackers reported a vulnerability in OlaCabs’ app. Pointing out weak design in the database and weak security in the app, they devised a way to recharge digital wallets for free. TeamUnknown, thankfully, notes that it doesn’t intend to misuse the data.
Update: OlaCabs has finally issued a statement categorically rejecting the claims:
There has been no security lapse, whatsoever to any user data. The alleged hack seems to have been performed on a staging environment when exposed for one of our test runs. The staging environment is on a completely different network compared to our production environment, and only has dummy user values exclusively used for internal testing purposes. We confirm that there has been no attempt by the hackers to reach out to us in this regard. Security and privacy of customer data is paramount to us at Ola.
Unless the guys behind TeamUnknown release more proof, this can be termed as a hoax, or rather, a false claim.