Cloud Hosting

China-based lending company Moneeds unprotected database has exposed the names and phone numbers of millions of Indians, putting them at risk of identity theft. Security researcher Anurag Sen found this database on an open elastic serverthat had more than 389 million phonebook records. Moneed has offices in Hangzhou, New Delhi, and Hong Kong.

Sen told TNW that the data is stored on a server provided by Hangzhou Alibaba advertising co. ltd in China. The discovery comes in the wake of anti-China sentiments across government authorities and citizens in India who are wary of its powerful neighbors operations in cyberspace. Recently, Indiabanned 59 Chinese apps including TikTokfor allegedlystealing and surreptitiously transmitting users data in an unauthorized manner to servers which have locations outside India.

Looking at the database entries, especially names, the app seems to have uploaded phonebooks of people who mightve installed Moneedsapps. The company has two Androidapps for securing loans, called Moneed and Momoon the Play Store, both of them have more than a million downloads. Both of these apps ask for a ton of permission including contacts, phone, storage, and location.

Shockingly, I managed to find my own contact details in the database. However, there were three entries againstthe same phone number; its likely that different users will have saved my number against different names for that contact.

The database contained data gathered between August 2019 and July 2020. Despite multiple emails to Moneed, we received no reply at the time of writing. We contacted the host of the server, and the Alibaba Security Response Center (ASRC) took the database offline for security.

Meanwhile, Moneeds loan service itself appears to be in violation of Googles app store policy. You can apply for a short-term loan for a tenure of 14 or 28 days. However, Googles developer policy states that the company doesnt allow apps that demand full repayment of loans in under 60 days. Weve reached out to the company for an explanation, and well update the story when we hear back.

In the past few months, several reports have noted that Moneed and several other Chinese microloan apps have been harassing borrowers in India for repayment. One of the methods these companies use is reportedly to call borrowers family and friends to ask for money. They also create a WhatsApp group with the borrowers family to ask for their whereabouts.

In this tense political climate, its worrisome that the data of so many Indian citizens were captured and stored on a foreign server without explicit consent or disclosure. Recently, Cyble reported that more than 150,000 IDs of Indians were leaked on the dark web by a Mandarin-speaking actor.

Moreover, despite such a large amount of data store on the database, there were no security precautions. Furthermore, this data could be used for illegal extortion of money or other malicious purposes.The company has a responsibility to keep customer data safe and respond to security threats in a timely manner and it has clearly failed them in this case.

Read next: SPEC BATTLE: Pixel 3a vs. Pixel 4a, in graphs

Do you want to get the sassiest daily tech newsletter every day, in your inbox, for FREE? Of course you do: sign up for Big Spam here.

Link:
A China-based loan app exposed millions of Indians' data in an unsecured server - The Next Web