Thousands of Brazilians at Risk Due to a Bus Transportation Mobile App Data Leak
WizCase found a serious data breach from a Brazilian company that sells bus tickets online in Brazil, Guiche Virtual. The 26GB of leaked data exposed over 3.6 million emails (including duplicates) and at least 17,000 entries with personal information, such as full names, hashed passwords, and addresses. We have disclosed the leak to the company involved as well as to the Brazilian CERT and the server is now secured.
What’s Going On?
Our team of white-hat hackers discovered an open ElasticSearch database that belonged to Guiche Virtual.
Guiche Virtual is a Brazillian business that provides online bus ticket booking across the country through different bus companies. The service is distributed online via mobile apps — Guiche Virtual on iOS and Guiche Estrada on Android. It seems that the leaked data contains information collected from both platforms as well as data from the company’s online platform. Though the company is located in Brazil, the vulnerable server was hosted in the US.
The leak exposed detailed information about users’ private data and activity, including:
- Full names
- Email addresses
- Hashed passwords
- CNPJ Brazilian tax identification number
- Home address with postal code
- Phone number
- Passport numbers
- Detailed travel information for each user, such as destination, ticket cost, and seat purchased
- Email correspondence
How Did It Happen and Whose Data Was Available?
Guiche Virtual stored a lot of its data on an ElasticSearch server. By default, installing an ElasticSearch engine on a server comes with no access authentication enabled. This means that if the server is connected to the open web, it automatically becomes available to anyone with access to the internet. The default settings don’t apply the authorization as ElasticSearch servers are originally designed to be used only on internal networks. However, many administrators aren’t aware of this detail and, as a result, don’t set up password authentication or IP whitelisting.
The unsecured database exposed over 26GB of data with approximately 17,000 Personal Identifiable Information (PII) and 3.6 million emails, including duplicates. The total size of the leaked data kept changing as the database server was live and updated daily. Since the company is located in Brazil, it seems that most of its users were also Brazilian.
What Are The Risks and What Should I Do Now?
Any data leak, regardless of what company it happens to, is a potential significant privacy breach that puts everyone involved at huge risks of being targeted by cybercriminals and scammers. Guiche Virtual leak exposed viable information about thousands of users, including their home addresses and even some passport details.
This compromised data may lead to many threats, such as:
- Identity theft and fraud: Many parts of leaked personal data, such as passport numbers and hashed passwords, could be used by attackers in identity fraud across different establishments and websites. The leaked passwords could also potentially be cracked and tested alongside exposed email addresses across various platforms. Cyber attackers are likely to do that in order to check for password reusability — successful attempts would provide them with an abundance of additional information.
- Phishing scams and malware distribution: Email addresses and phone numbers revealed in the leak could be targeted with scam calls, phishing messages, and malicious correspondence. Scammers could use the victims’ personal information to gain their trust and encourage click-throughs as well as malware downloads.
- Business espionage: Competitor companies could use the exposed data to target Guiche Virtual users and increase their conversion rate. These attempts include sending personalized emails with attractive benefits to new users that could encourage them to swap to a different platform.
Anyone who has used Guiche Virtual should be on the lookout for suspicious emails and phone calls. Phishing attempts always try to mimic trustworthy organizations, such as banks or insurance companies, but you can spot certain differences in the sender’s address upon further inspection. However, if you’re even in doubt about an email’s credibility, you can check directly with the company you think sent it. On top of that, watch out for “too good to be true” scams that ask for any personal information as these could be social engineering attempts.
Additionally, you may want to enable two-factor authentication on your online accounts, including social media profiles. This can help prevent attackers from gathering extra information about you, even if they successfully crack leaked hashed passwords. With two-factor authentication turned on, you’ll receive a notification as soon as someone unauthorized tries to access any of your profiles.
Always remember that once your data is shared online, it’s always likely to be involved in an online data leak. That’s why you should limit the amount of information you post to the bare minimum.
Why Should I Trust WizCase?
WizCase is a widely popular web security platform offering advice and tips for thousands of readers every week. Translated into over 30 languages, our website has gained the trust of a wide number of people worldwide. Our team regularly discovers new data breaches across the internet and contacts them to companies responsible for them prior to publishing any reports. Together, we’re working hard towards creating a safer online environment for everyone.
In this case, we reached out not only to Guiche Virtual, but also Brazillian Computer Emergency Response Team (CERT). The latter sent us a response email explaining they contacted the company and helped with securing the misconfigured server.