Records containing sensitive information on perhaps millions of Iranian drivers was left unsecured in a publicly available database for days, according to security research published Thursday.
More than 6.7 million records from 2017 and 2018 were estimated to be exposed in a database discovered by researcher Bob Diachenko. Information included drivers’ first and last names, their Iranian ID numbers stored in plain text, their phone numbers, and other data such as invoice information. The data is now secured, Diachenko told CyberScoop.
The actual number of people affected in the breach is likely less than 6.7 million, Diachenko explained, because the database contains multiple files referring to the same people.
Diachenko said the data originated with TAP30, an Iranian ride-hailing company. The database was never downloaded in full, he said, and was exposed for a limited period of time.
“[W]e can only guess if this data was part of their infrastructure,” he wrote in a post published Thursday. “However, no matter who owned it, the fact alone that such highly sensitive [personally identifiable information] was available in the wild for at least three days, is scary. Chances are also big that this data was previously stolen from either company and now resurfaced[.]”