Disclosures:
Our Reviews

WizCase includes reviews written by our experts. They evaluate the products/services in accordance with their professional standards.

Ownership

Kape Technologies PLC, the parent company of Wizcase, owns ExpressVPN, CyberGhost, ZenMate, Private Internet Access, and Intego, which may be reviewed on this website.

Referral fees

Wizcase may earn an affiliate commission when a purchase is made using our links. However, this has no influence on the content of the reviews we publish or on the products/services reviewed. Our content may include direct links to buy products that are part of affiliate programs.

Reviews standards

The reviews published on Wizcase are written by experts that examine the products according to our strict reviewing standards. Such standards ensure that each review is based on the independent, professional and honest examination of the reviewer, and takes into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings we publish may take into consideration the affiliate commissions we earn for purchases through links on our website.

Thousands of Brazilians at Risk Due to a Bus Transportation Mobile App Data Leak

Cyber Research Team
Published by Cyber Research Team on November 23, 2020

WizCase found a serious data breach from a Brazilian company that sells bus tickets online in Brazil, Guiche Virtual. The 26GB of leaked data exposed over 3.6 million emails (including duplicates) and at least 17,000 entries with personal information, such as full names, hashed passwords, and addresses. We have disclosed the leak to the company involved as well as to the Brazilian CERT and the server is now secured.

What’s Going On?

Our team of white-hat hackers discovered an open ElasticSearch database that belonged to Guiche Virtual.

Guiche Virtual is a Brazillian business that provides online bus ticket booking across the country through different bus companies. The service is distributed online via mobile apps — Guiche Virtual on iOS and Guiche Estrada on Android. It seems that the leaked data contains information collected from both platforms as well as data from the company’s online platform. Though the company is located in Brazil, the vulnerable server was hosted in the US.

The leak exposed detailed information about users’ private data and activity, including:

  • Full names
  • Email addresses
  • Hashed passwords
  • CNPJ Brazilian tax identification number
  • Home address with postal code
  • Phone number
  • Passport numbers
  • Detailed travel information for each user, such as destination, ticket cost, and seat purchased
  • Email correspondence

How Did It Happen and Whose Data Was Available?

Guiche Virtual stored a lot of its data on an ElasticSearch server. By default, installing an ElasticSearch engine on a server comes with no access authentication enabled. This means that if the server is connected to the open web, it automatically becomes available to anyone with access to the internet. The default settings don’t apply the authorization as ElasticSearch servers are originally designed to be used only on internal networks. However, many administrators aren’t aware of this detail and, as a result, don’t set up password authentication or IP whitelisting.

The unsecured database exposed over 26GB of data with approximately 17,000 Personal Identifiable Information (PII) and 3.6 million emails, including duplicates. The total size of the leaked data kept changing as the database server was live and updated daily. Since the company is located in Brazil, it seems that most of its users were also Brazilian.

What Are The Risks and What Should I Do Now?

Any data leak, regardless of what company it happens to, is a potential significant privacy breach that puts everyone involved at huge risks of being targeted by cybercriminals and scammers. Guiche Virtual leak exposed viable information about thousands of users, including their home addresses and even some passport details.

This compromised data may lead to many threats, such as:

  • Identity theft and fraud: Many parts of leaked personal data, such as passport numbers and hashed passwords, could be used by attackers in identity fraud across different establishments and websites. The leaked passwords could also potentially be cracked and tested alongside exposed email addresses across various platforms. Cyber attackers are likely to do that in order to check for password reusability — successful attempts would provide them with an abundance of additional information.
  • Phishing scams and malware distribution: Email addresses and phone numbers revealed in the leak could be targeted with scam calls, phishing messages, and malicious correspondence. Scammers could use the victims’ personal information to gain their trust and encourage click-throughs as well as malware downloads.
  • Business espionage: Competitor companies could use the exposed data to target Guiche Virtual users and increase their conversion rate. These attempts include sending personalized emails with attractive benefits to new users that could encourage them to swap to a different platform.

Anyone who has used Guiche Virtual should be on the lookout for suspicious emails and phone calls. Phishing attempts always try to mimic trustworthy organizations, such as banks or insurance companies, but you can spot certain differences in the sender’s address upon further inspection. However, if you’re even in doubt about an email’s credibility, you can check directly with the company you think sent it. On top of that, watch out for “too good to be true” scams that ask for any personal information as these could be social engineering attempts.

Additionally, you may want to enable two-factor authentication on your online accounts, including social media profiles. This can help prevent attackers from gathering extra information about you, even if they successfully crack leaked hashed passwords. With two-factor authentication turned on, you’ll receive a notification as soon as someone unauthorized tries to access any of your profiles.

Always remember that once your data is shared online, it’s always likely to be involved in an online data leak. That’s why you should limit the amount of information you post to the bare minimum.

Why Should I Trust WizCase?

WizCase is a widely popular web security platform offering advice and tips for thousands of readers every week. Translated into over 30 languages, our website has gained the trust of a wide number of people worldwide. Our team regularly discovers new data breaches across the internet and contacts them to companies responsible for them prior to publishing any reports. Together, we’re working hard towards creating a safer online environment for everyone.

In this case, we reached out not only to Guiche Virtual, but also Brazillian Computer Emergency Response Team (CERT). The latter sent us a response email explaining they contacted the company and helped with securing the misconfigured server.

Did you like this article? Rate it!
I hated it I don't really like it It was ok Pretty good! Loved it!
4.63 Voted by 4 users
Title
Comment
Thanks for your feedback
Cyber Research Team
The WizCase Cybersecurity Research Team aims to investigate and uncover the latest threats on the internet. The global research team uses ethical hacking methods to shine a light on data breaches, privacy leaks, and security flaws within online communities and organizations.