wordpress blog stats
Connect with us

Hi, what are you looking for?

, ,

Vulnerability on RailYatri server exposed sensitive information of 7 lakh users: Report


Update at 10:30 IST, August 25: In an official statement issued on Monday evening, RailYatri said the server reported to have been breached was only a test server. The company has refuted Safety Detectives’ assessment that over 700,000 email addresses had been leaked on the internet, calling it “impossible”. The spokesperson argued that as per general protocol, all data older than 24 hours is deleted from the server automatically, so the fact that email addresses had leaked over a period of three days was factually incorrect. The company also noted that it fixed the issue as soon as it was brought to its notice by CERT-In.

On possible exposure of credit card and other sensitive user information, RailYatri said it did not store such financial and other sensitive data, with the exception of some partial details.

Anurag Sen, head of security research at Safety Detectives, whose team had discovered the vulnerability, was unconvinced with RailYatri’s statement. Questioning the company’s claim that only a day’s worth of data was stored on the said server at any given moment, he said that when his team discovered the vulnerability on August 10, the server logs showed data from August 6 still on it.

*Original story published on August 24: 

Popular ticketing and travel website RailYatri has suffered a massive data breach, exposing personal details of an estimated 700,000 individuals, according to a report by security review website Safety Detectives. In a post published on Monday, Safety Detectives said that the all data present on one of the company’s production server was left exposed to potentially anyone who knew its IP address for several days.

Advertisement. Scroll to continue reading.

MediaNama has reached out to RailYatri. A representative said the company they would be putting out an official statement later today. We will update this post accordingly.

Data breach discovered on August 9: The affected server is reported to have been exposed on August 9. The next day, a Safety Detectives’ team discovered the vulnerability and tried to alert RailYatri about it.

Database targeted with Meow bot attack: Three days later, the team looked into the issue again, only to find that the server was still left exposed. They also discovered that the server had become the target of a Meow bot attack, in which almost all of the data stored on it had been deleted. Meow bot attacks target and wipe out data stored on servers running Elastic Search and MongoDB instances without sufficient security measures. Despite this, according to Safety Detectives’ head of security research Anurag Sen, whose team had discovered the vulnerability, the server was functional even on August 17, when it was storing new data. “Most of the previous data got deleted [in the Meow bot attack], but it was getting updated everyday as new logs were coming,” he told MediaNama.

Server taken offline after CERT-in was contacted: After having failed to get a response from RailYatri, Sen and his team contacted the Computer Emergency Response Team (CERT-In). The server was taken offline on August 18. They had only received an automated response from CERT-In, saying it had registered the incident. Sen said Safety Detectives are still to hear back from RailYatri.

How much data was breached: According to the researchers, sensitive information of around 700,000 people were exposed. This estimate was based on the number of unique email IDs that could be seen on the server logs.

What data was leaked: The user information included their full names, age, gender, addresses, email addresses, mobile numbers, payment logs, partial records of credit and debit card information, UPI IDs, train and bus ticket booking details, travel itinerary, authentication token information and user session logs. Even users’ GPS location data with location area codes and CellID information was exposed.  The post noted: “Possibly the most damaging aspect of the data breach is the fact that our security team discovered partial credit and debit card payment logs including the name on the card, the first and last 4 digits of the card number, the card-issuing bank and card expiry information.”

Advertisement. Scroll to continue reading.

The post noted that “thankfully”, the leaked payment information was suppressed to reveal card numbers only partially, thereby reducing the risk of financial scams. “However, resourceful hackers could still use the information on the server to launch phishing scams to induce victims to hand over their financial information,” it added.

***Update at 10:30 PM. Originally published at 17:55 IST, on August 24.

Written By

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



The Delhi High Court should quash the government's order to block Tanul Thakur's website in light of the Shreya Singhal verdict by the Supreme...


Releasing the policy is akin to putting the proverbial 'cart before the horse'.


The industry's growth is being weighed down by taxation and legal uncertainty.


Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ