vpnMentor’s research team discovered a data breach belonging to popular Indian parenting and e-commerce brand BabyChakra.

Based on our research, BabyChakra was storing over 5 million files from its customers entirely out in the open, exposing 100,000s of families across India to fraud, theft, and much worse.

This data breach represents a massive lapse in security by the company. By not protecting its customers’ data, BabyChakra endangered their financial and personal well-being, making them vulnerable to a host of dangers online and in real life.

Data Breach Summary

Company BabyChakra
Headquarters Mumbai, India
Industry Parenting, e-commerce
Size of data 259 GB
No. of files 5,553,744
No. of people exposed Unknown, due to the large number of duplicate files. Potentially millions. At least 100,000s.
Date range/timeline 2015 – pres.
Geographical scope India
Types of data exposed Photos; financial documents; PII data
Potential impact Fraud, phishing, malware; theft; child endangerment
Data storage format Misconfigured AWS S3 bucket

Company Profile

Founded in 2015 by Naiyya Saggi, BabyChakra is India’s biggest online pregnancy and parenting platform. The company offers a wide range of products and services covering the first stages of pregnancy up to early childhood.

BabyChakra’s mix of physical and digital products includes nutritional guidance, nanny agencies, party planners, photography services, and much more.

Timeline of Discovery and Owner Reaction

  • Date discovered: 4th February 2021
  • Date vendors contacted: 9th February 2021
  • Date of 2nd contact attempt: 17th March 2021
  • Date Amazon Contacted: 17th March 2021
  • Date of Response: – 
  • Date of Action: by the 26th April 2021

Sometimes, the extent of a data breach and the data’s owner are obvious, and the issue is quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what’s at stake or who’s exposing the data.

Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.

Some affected parties deny the facts, disregarding our research or playing down its impact. So, we need to be thorough and make sure everything we find is correct and accurate.

In this case, our team discovered an unsecured Amazon Web Services S3 bucket account storing over 5.5 million files. We quickly identified BabyChakra as the most likely owner and verified our findings. Once we had confirmed BabyChakra owned the bucket and its data, we immediately reached out to the company.

At the time of writing, we have not received a reply from the company, despite contacting it several times. The bucket was found secured by the 26th April 2021.

Example of Entries in the S3 Bucket

In total, over 5.5 million files were left publicly accessible. While it’s difficult to confirm exactly how many people were exposed in the data breach, we estimate that the S3 bucket contained private data from at least a few hundred thousand individuals. In reality, the total number could be in the millions – but only BabyChakra has access to that information.

To determine precisely how many people were exposed, we would have needed to download all the data, but for ethical reasons, we chose not to.

User-Uploaded Photos and Videos

The majority of files exposed in the data breach were millions of photos and videos uploaded to BabyChakra’s website database by customers and the company itself. The photos contained incredibly sensitive subjects: children, families, medical test results, and medical prescriptions.

While BabyChakra customers voluntarily uploaded these photos, they would have done so expecting that the images would be protected and kept private. Instead, BabyChakra stored everyone’s photos together and left them publicly accessible online.

The following images are a small sample of the photos our team discovered, redacted for privacy purposes:

Invoices, Package, and Postage Slips

Aside from user photos and videos, BabyChakra was also using the unsecured S3 bucket to store 35,120 invoices and 19,800 packaging slips from the purchases made on its website.

Combined, these exposed the Personally Identifiable Information (PII) data of over 55,000 people across India, including minors:

  • Full names
  • Phone numbers
  • Home addresses
  • Purchased items details (including prices, quantity, etc.)
  • Much more

Users Data Dump

Finally, the remainder of the files on BabyChakra’s S3 Bucket consisted of a massive ‘data dump’: 132,000+ records relating to its customers, obtained from a wide range of sources.

Each record contained additional data from individuals and families across India, including:

  • Names
  • Surnames
  • Mobile phone numbers
  • Children’s birthdates

Based on the data being recorded, it also appears that BabyChakra may have been scraping certain data points or acquiring them from third parties, such as personal phone numbers, from customers’ Facebook profiles.

Data Breach Impact

BabyChakra’s failure to adequately store and secure such a massive amount of data has significant implications for its customers – and the company itself.

Fraud and Identity Theft

Hackers and cybercriminals could use the exposed PII data and contact information in numerous fraudulent activities on BabyChakra and across other platforms:

  • Phishing campaigns
  • Mail fraud
  • Identity theft
  • Malicious software attacks (malware, spyware, etc.)
  • Much more

Each of these criminal schemes could have devastating consequences for 100,000s of families across India.

Physical Theft

Criminals could also use leaked information (such as packaging slips from deliveries accepted with cash payments) to pose as couriers and fraudulently collect payments from BabyChakra customers.

Even worse, they could use large shipments of BabyChakra products to identify wealthy customers purchasing lots of new items from the company. With such information, they could commit highly targeted burglaries and house break-ins targeting these families.

Predatory Activity

BabyChakra’s cloud account contained millions of photos, including many of young children. Unfortunately, this could also attract online predators interested in collecting such photos for personal use.

Impact on BabyChakra

While India doesn’t have robust data protection laws in place, BabyChakra could face numerous issues resulting from this data breach.

Customers who learn their data was leaked to the entire internet may no longer feel comfortable making purchases from BabyChakra. While the company claims to be the #1 parenting brand in India, it’s an incredibly competitive industry, and customers will have plenty of options for switching to rival providers.

Simultaneously, BabyChakra’s rivals could jump on the data breach and exploit it in aggressive negative marketing campaigns against the company. Rival companies could also go a step further and use the data records to micro-target BabyChakra’s users with ad and email campaigns, inundating them with manipulative messages.

Advice from the Experts

BabyChakra could have easily avoided exposing its customers’ data if it had taken some basic security measures. These include, but are not limited to:

  1. Securing its servers.
  2. Implementing proper access rules.
  3. Never leaving a system that doesn’t require authentication open to the internet.

Any company can replicate the same steps, no matter its size.

For a more in-depth guide on how to protect your business, check out our guide to securing your website and online data from hackers.

Securing an Open S3 Bucket

It’s important to note that open, publicly viewable S3 buckets are not a flaw of AWS. They’re usually the result of an error by the owner of the bucket. Amazon provides detailed instructions to AWS users to help them secure S3 buckets and keep them private.

In the case of BabyChakra, the quickest way to fix this error would be to:

  • Make the bucket private and add authentication protocols.
  • Follow AWS access and authentication best practices.
  • Add more layers of protection to their S3 bucket to further restrict who can access it from every point of entry.

For BabyChakra Customers

If you’re a customer of BabyChakra and are concerned about how this breach might impact you, contact the company directly to determine what steps it’s taking to protect your data.

To learn about data vulnerabilities in general, read our complete guide to online privacy.

It shows you the many ways cybercriminals target internet users, and the steps you can take to stay safe.

How and Why We Discovered the Breach

The vpnMentor research team discovered the breach in BabyChakra’s data as part of a vast web mapping project. Our researchers use large-scale web scanners to search for unsecured data stores containing information that shouldn’t be exposed. They then examine each data store for any data being leaked.

Our team was able to access this S3 bucket because it was completely unsecured and unencrypted.

Whenever we find a data breach, we use expert techniques to verify the data’s owner, usually a commercial business.

As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. We reached out to BabyChakra, not only to let them know about the vulnerability but also to suggest ways to make their system secure.

These ethics also mean we carry a responsibility to the public. BabyChakra users must be aware of a data breach that exposes so much of their sensitive data.

The purpose of this web mapping project is to help make the internet safer for all users.

We have no evidence – and no way of knowing – whether the data in our reports have been accessed or leaked by anyone else; only the database owner can understand that.

We do our best to prevent this from happening by reaching out to the companies and ensuring they secure their leaking database as soon as possible.

We never sell, store, or expose any information we encounter during our security research.

This news was originally published at vpnmentor