Security researcher Bob Diachenko discovered a database belonging to a ride-hailing company operating in Iran that was left exposed online without protection.
The MongoDB instance named ‘doroshke-invoice-production‘ contained over 6.7 million records of Iranian drivers.
Exposed records include driver first name and last name, SSN (10-digits Iranian ID number in plain text), phone number, and invoice date.
The expert discovered the database using the BinaryEdge search engine that indexes data available on the internet.
Security researcher Bob Diachenko discovered the database named ‘doroshke-invoice-production’ using BinaryEdge search engine that allows
to scan the entire internet space and acquiring data.
“On April 18th, during our regular security audit of
The database included two collections with invoices split by year:
The MongoDB contained a large number of duplicates, the researcher estimates that the unique number of entries is between one and two million.
At the time of writing the owner of the archive is still unknown, fortunately, it has secured the instance.
Diachenko reported its discovery to the Iranian CERT and also attempt to alert researchers in Iran to discover the owner.
“We were able to get in touch with a couple of drivers with an attempt to identify the owner of the database. At the same time, my colleagues have reached out to the biggest ride-hailing companies in Iran to confirm data origin. ” concludes Diachenko.
“While I did not receive an official confirmation or comment from either company, we can only guess if this data was part of their infrastructure. However, no matter who owned it, the fact alone that such highly sensitive PII (
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.