Motorcycle manufacturer Royal Enfield had exposed a database containing personal information of at least 450,000 customers in January, a cyber security analyst disclosed on Twitter on Thursday.
Bob Diachenko, a Ukraine-based expert, told The Quint that he had made a responsible disclosure alert to the company on 19 January following which the vulnerability was patched.
Diachenko, in his tweet, also added that the exposed database also contained information on 1,470 "privileged users" and dealers. The exposed data included names, e-mails, phone numbers, encrypted passwords, motorbike-related information and social network links of individuals.
The encrypted passwords pertain to accounts on the company’s official website. It is unclear how long the database had remained exposed prior to its discovery.
“Without my alert, chances are high that somebody with malicious intents would have wiped out the data or stole it for ransom.”Bob Diachenko, Independent Cyber Security consultant
Diachenko said that he had discovered a misconfigured MongoDB (a document-oriented database program) which, among other data, contained customer information pertaining to Royal Enfield.
“I discovered 3 IPs (addresses) with misconfigured databases i.e. set up without password/login with what appears to be Royal Enfield’s data,” Diachenko told The Quint.
“We see many cases of ransomware attacks on non protected noSQL databases, so my goal is to be one step ahead of a criminal and alert businesses and organisations on the potential dangers,” he added.
The Quint has reached out to Royal Enfield for its response on the issue. The story will be updated with their official comment.