Indian parenting platform BabyChakra exposed data of its users — which includes parents and indirectly their children — to hacking due to a misconfiguration in one of its servers, according to researchers. The issue made over 5.5 million files publicly accessible. The researchers claimed that the files included millions of photos and videos of BabyChakra’s users and some of them even contained sensitive subjects, such as medical test results and prescriptions uploaded by the users on the platform. Some photos exposed are also said to be associated with the children and families of the affected users. Mumbai-based BabyChakra offers a social network to parents let them to discuss their problems with experts.
The research team at VPNMentor, led by Israeli security researcher Noam Rotem, discovered the issue within the BabyChakra platform in February and reported it to the company shortly after an initial investigation. It exposed private data of at least a few hundred thousand individuals, the researchers claimed. The exposed data included photos and videos of people using BabyChakra to get parenting advice and medical consultation on the platform, according to the researchers.
In addition to the media content, the data included over 35,000 invoices and 19,800 packaging slips from the purchases made through the BabyChakra website. It exposed personally identifiable information (PII) of over 55,000 users, including minors, as per the researchers. The data is said to have carried full names, phone numbers, residential addresses, and purchase details of the affected users.
The remainder of the files exposed by BabyChakra included over 132,000 records relating to its customers that all were obtained from various sources, including third-party applications like Facebook. The entire data is said to be 259GB in size.
“BabyChakra’s failure to adequately store and secure such a massive amount of data has significant implications for its customers — and the company itself,” the researchers said in a blog post.
The VPNMentor team said they had first informed BabyChakra of the issue on February 9, though the company did not respond to them despite being contacted multiple times.
The researchers said that the data was found secured by the company on April 26, after which they informed Gadgets 360 about the data exposure on April 27.
But BabyChakra founder Naiyaa Saggi told Gadgets 360 that it did not find any vulnerabilities, and the misconfiguration issue was fixed after VPNMentor researchers reached out.
“We undertake security audits as soon as we receive any emails.” she said over email. “We have been in touch with VPNMentor, and they have also confirmed that there are no vulnerabilities exposed.”
She added that BabyChakra was also in the process of initiating quarterly security audits to protect against any such vulnerabilities in the future.
The VPNMentor researchers noted in its blog post that the exposed data and contact information could be used by cybercriminals and hackers for fraudulent activities, such as phishing campaigns, email frauds, identity and physical thefts, and malicious software attacks, among others.
Founded in 2015, BabyChakra is claimed to serve more than two million families a month through its platform for parenting guidance. Its app is touted to generate over five lakh pieces of content on a monthly basis and has more than 2,500 bloggers and influencers among its users.
Apart from offering services such as an online community and expert consultation, BabyChakra launched an online marketplace for pregnant women, infants, and new parents in 2018, and hired executives from popular Indian startups such as FreeCharge and Jabong.