Database containing donors’ names, contact details, and blood type discovered on hacking forum
Risk monitoring firm CloudSEK has discovered the personal data of more than 12,000 Indian blood donors on offer on the clear web for free.
The data from Indian Blood Donors – a non-profit organization that maintains a database of blood donors and matches recipients with the nearest suitable donor – was checked out by Bengaluru-based CloudSEK, which used public sources to verify certain fields in the data dump and establish its authenticity.
The information on offer included blood donors’ name, phone number, and email address, as well as their blood type, PIN code, and password – all in plain text.
Site upgrade required
“The data was being shared for free on a surface web database marketplace called Raid Forums,” CloudSEK’s lead cyber intelligence editor Deepanjli Paulraj tells The Daily Swig.
“We’re not sure how exactly the data was obtained – Indian Blood Donors has not responded to us. But given that it is an HTTP site, the data is not encrypted and can be intercepted by third parties.”
Other possibilities for the initial leak, Paulraj says, include an exposed database or cloud storage bucket, or even a phishing campaign that succeeded in accessing system admin credentials.
Either way, the data could be very useful indeed to criminals.
YOU MIGHT ALSO LIKE WeTransfer banned in India over national security concerns
“Threat actors can use the PII [personally identifiable information] in the data dump to orchestrate phishing campaigns, online and offline scams, and even identity theft,” says Paulraj.
“Since the passwords are not hashed, anybody can log into a donor’s account, on the Indian Blood Donors website or app, and alter their details or act on their behalf.”
Credential stuffing attacks could also be used to compromise users’ email, banking, or other online accounts, the researcher said.
In cold blood
India’s Computer Emergency Response Team (CERT-In) says it is “taking appropriate action”, following notification by CloudSEK.
In the meantime, the security firm is urging blood donors to change their passwords – and update any other accounts using the same one – as well as verify that their data hasn’t been altered in the Indian Blood Donors’ website.
The company is also urging Indian Blood Donors to identify the source of the leak and fix the vulnerability as soon as possible, start storing hashed passwords, and obtain an SSL certificate for the site to upgrade it from HTTP to HTTPS.
This isn’t the first time that a blood donor database has been compromised. Back in 2016, for example, a massive breach saw the data of more than half a million Red Cross blood donors exposed.
And a year ago, in Singapore, the personal information of more than 800,000 blood donors, mistakenly left available online for more than two months, was accessed illegally and possibly exploited.
RECOMMENDED Flaw in property inventory website exposed thousands of users’ home contents