Loan agreements exposed a large portion of this PII and sensitive data, information that belongs to CashMama’s customers. Loan agreements appear to document contracts between customers and instant loan companies.
The SafetyDetetectives security team discovered a data breach affecting CashMama, a money lending platform based in India, which exposed a comprehensive array of customer data that was invasively collected and stored.
CashMama’s Amazon S3 bucket was left in open form, exposing sensitive and personal data for hundreds of thousands of customers.
CashMama’s misconfigured bucket revealed enough sensitive data to potentially expose its users to the most damaging forms of cybercrime.
Who Is CashMama?
Founded in Hyderabad, in India’s Telangana region back in 2018, CashMama was a consumer finance application that offered instant money lending services to its users.
CashMama is now defunct after it was allegedly involved in an instant loan app scandal.
While primarily aimed at young professionals, CashMama promised convenience with a loan application and screening process that was 100% online. Customers could expect timely approval, even without a loan history or credit card, and once approved, CashMama users could receive their loan within a matter of minutes. The app offered loans between 3,000 and 5,000 rupees (around US$40 to US$65) with short-term tenures.
CashMama was owned by the parent company Onion Credit Private Limited which also operated other instant loan apps with data on the open bucket, such as Loan Zone and MeraLoan. Each of these apps is implicated in allegations of racketeering, according to The Indian Express.
Onion Credit Private Limited representatives were arrested by Indian authorities in late 2020 following allegations of blackmail, harassment, coercion, and financial fraud (as per The Indian Express). CashMama’s open bucket demonstrates functionality that allowed its owners to snoop on customers via several mobile apps and related services.
Following our analysis, it appears that the bucket belongs to CashMama due to references to the company in stored emails.
What Was Exposed?
CashMama’s misconfigured Amazon S3 bucket exposed more than 6.5 million files, totaling over 1TB of data.
The bucket’s content included PII and sensitive data belonging to the customers of at least four instant loan apps: CashMama, Loan Zone (also known as Vayloan), MeraLoan, and an unidentified app.
The unidentified app’s data was stored under an app name, though, we could not specify exactly which app this name referenced. A small portion of files have an unknown origin — this data could’ve been collected for one of the loan apps mentioned, or, it could’ve been collected for a completely different instant loans app.
There may be customers of various other associated instant loan apps exposed on the bucket as well.
We observed a large amount of personal data that was collected for each app. In fact, we observed 10 different file collections on the bucket. Each file collection was comprised of one or more folders that contained similar files. Each collection’s data relates to one of the instant loan apps on the bucket.
Each folder contained files that featured the PII and sensitive data of customers. We’ll now walk you through the data exposed on CashMama’s bucket, along with an explanation of the files that contained each dataset.
Paperwork & PIIs
Paperwork & PIIs data were exposed in three of the aforementioned collections on the misconfigured AWS S3 bucket:
Loan agreements
- MeraLoan applications & contacts
- Unknown app’s files
- Paperwork & PIIs data exposed the customer PII and sensitive data of CashMama, MeraLoan, and another unknown app’s users. You can see a list of exposed paperwork & PIIs below.
Loan agreements exposed a large portion of this PII and sensitive data, information that belongs to CashMama’s customers. Loan agreements appear to document contracts between customers and instant loan companies. Alternatively, loan agreements could have been sent to the non-bank financial companies (NBFCs) funding the loans. There were almost 300,000 Loan agreements on the misconfigured bucket.
MeraLoan applications & contacts exposed MeraLoan customers’ loan applications and phone contact lists. As such, these files exposed a range of MeraLoan customer PII and sensitive customer data. A folder containing over 10,000 loan applications, submitted by customers, exposed a portion of the data you can see above.
The unknown app’s files exposed a range of user PII and sensitive data, though, we don’t know for which app this information was collected. The unknown app’s files were formatted differently from other logs we observed on the bucket. We don’t know why this was the case. Perhaps, these were logs collected and sent to an associated NBFC. There were over 100,000 of the unknown app’s files on the bucket.
Pictures
Pictures data were exposed in three of the aforementioned locations on the AWS S3 bucket:
Epoch files
- ID photos files
- Processed ID cards
- Pictures exposed the customer PII and sensitive customer data of CashMama, LoanZone (most likely), and an unknown app’s users. There were three datasets exposing this information on CashMama’s AWS S3 bucket:
Note: The exposed app (or apps) that collected each dataset is named in brackets.
Images data (of CashMama users):
- Filenames
- Device models
- GPS coordinates
- Times images were taken
- ID photos (likely belonging to LoanZone users):
- Photos of people
- Photos of users’ ID cards (front and back)
- Plaintext IDs (of an unknown app’s users):
- ID card data (incl. name, D.O.B., address, etc.)
*Note: The related images were not included.
Images data included technical information about users’ photos without containing photos themselves. Images data exposed the PII and sensitive data of CashMama customers and was found on epoch files. Nearly 200,000 epoch files exposed the data of around 100,000 CashMama customers.
Epoch files were dumped in two stages into two separate folders and contained a range of user information. The first folder of epoch files contained data that was collected from users’ phones and images data was found in this folder. In the second folder, CashMama conflated mined data with data that customers provided in the CashMama app, linking real people with their phone data.
ID photos files contained ID photos presumably collected during the application and identification process. We believe these photos exposed the PII of LoanZone/Vayloan customers, though, we can’t be certain. Over 2.3 million of these files were observed on the open bucket.
Processed ID cards contained over 170,000 plaintext IDs. Here, ID cards were converted into plaintext via optical character recognition—a technology that scans images for text. This allows the company to reference the data easily on the bucket. Plaintext IDs contained customer PII and sensitive customer data. However, we’re not quite sure why (or for which app) this data was collected.
Phone-Related data was exposed across several different file collections on CashMama’s open AWS S3 bucket:
- Epoch files
- SMS data
- SMS & contacts
- Vayloan fingerprint data
- MeraLoan applications & contracts
- Unidentified app files
As such, customers of CashMama, LoanZone (most likely), MeraLoan, and an unidentified app have customer PII and sensitive customer data exposed in at least one of the following datasets:
Note: The exposed app (or apps) is named in brackets when the dataset was not collected for all four apps (CashMama, LoanZone, MeraLoan, & the unidentified app).
Contacts:
- Names
- Phone numbers
- SMS Messages (of CashMama, LoanZone, & an unidentified app’s users):
- Message contents
- Message times “From” phone numbers
- Contact names
- Device info (of CashMama & LoanZone users):
- Screen sizes
- Storage space
- Available storage space
- Device memories
- Operating systems
- MAC addresses
- IMEI numbers & more
Installed apps (of CashMama & an unidentified app’s users):
- App names
- Technical names
- Install dates
- App versions
- Battery status (of an unidentified app’s users):
- Users’ phone battery
- GPS locations (of an unidentified app’s users):
- GPS locations at different times/dates
- Epoch files contained the contacts, SMS messages, device info, and installed apps of CashMama users.
SMS messages that most likely belong to LoanZone/Vayloan customers were found in SMS data and SMS & contact history files. SMS & contact history files also contained the contacts data of exposed users. Both file types contain customer PII and sensitive customer data that was likely mined from users’ phones. SMS & contact history files were repeatedly updated with fresh data to track any changes on users’ phones.
CashMama’s AWS S3 bucket contained nearly 650,000 SMS data files and almost 1 million SMS & contact history files — the latter exposed phone-related data for over 350,000 customers.
Device info that likely belonged to LoanZone/Vayloan users was also found in a Vayloan fingerprint data folder. We saw over 600,000 files in this folder that contained this form of sensitive user data.
MeraLoan users had their mobile phone contacts data exposed in MeraLoan applications & contracts files. One folder on the bucket stored over 7,000 files containing MeraLoan users’ contacts. We don’t know whether or not the app requested access to users’ contacts to gather this data. If the app did request access, users need to be aware that access to contacts gives the app permission to download all contact files, including the details contained within contacts.
Users of an instant loans app that we were not able to identify had a range of phone-related data exfiltrated from their device and stored in unidentified app files, including contacts, SMS messages, installed apps, battery status, and GPS locations.
Nearly 300,000 files (including duplicates) contained phone-related data belonging to the unidentified app’s users; these files exposed customer PII and sensitive customer data.
This news was originally published by Safety Detectives.