Yes Madam, an at-home salon platform based in Noida, India, has experienced a data breach that has exposed sensitive information belonging to its customers and gig workers. According to the company’s website, Yes Madam operates in over 30 cities across India, offering a wide range of salon services at customers’ homes, including therapies, massages, spas, and male grooming. The platform has also gained over a million downloads through its mobile apps.
The data breach occurred due to a server-side misconfiguration, which allowed a database containing the personal information of hundreds of thousands of Yes Madam customers to be connected to the internet without a password since at least February 20.
Read More: Data Leak: Definition, Types, Consequences & Prevention
What all data has been breached ?
The database contained a plethora of sensitive information, including customers’ full names, mobile numbers, mailing addresses, email addresses, and even location data, such as their latitude and longitude values. In addition, the database also contained payment links and user device details, like model names and IMEI numbers, which could potentially be used for fraudulent activities.
Not only were customers’ details exposed, but the startup also exposed profile images, names, and mobile numbers of its gig workers on the platform. Security researcher Anurag Sen of CloudDefense.ai discovered the exposed database and asked TechCrunch to help report the issue to Yes Madam.
What’s more concerning is that anyone familiar with the database’s IP address could have accessed the spilling data without needing a password, using only their web browser. Sen confirmed that the database had entries for over 900,000 users, including both customers and gig workers.
Data Breach Has been Plugged
After being informed of the data breach, Yes Madam acted quickly and secured the database on Friday. However, the company’s reputation may have already been damaged due to the potential harm that could have been caused to its customers and gig workers.
