Recently, a huge treasure house of more than 120000 passports, driver's licenses and identity documents uploaded by bike sharing service users has emerged on the Internet. It is reported that security researcher Bob diachenko found these data in an unprotected storage bucket hosted by Amazon on February 11 and passed the details to techcrunch to try to ensure data security.
The name of this bucket indicates that it belongs to mobike, a shared bike operator that was established in China. Anyone who knows the name of this easy to guess bucket can browse the passport and identity document library from their web browser. These documents can be traced back to 2017 and their scale is growing every day.
It is reported that the bucket stores the identity documents that users must upload before using the moBay bike. The bucket also contains 94000 customer selfies and 49000 customer signatures, which are used to verify the identity of users. Almost all identity documents are for users in Latin America, including Argentina and Brazil. But these data are not encrypted.
Mobike was established in Beijing in 2015 and has changed hands several times. It was once known as the pioneer of bike sharing in China. This booming startup company has absorbed billions of dollars of investment funds before it was purchased by China's on-demand service giant meituan at a price of $2.7 billion in 2018. Mobike's business in China was later renamed meituan bicycle.
Although mobike has international ambitions, it is in trouble. In the months after it was acquired by meituan, it lost hundreds of millions of dollars. Meituan later decided to divest the international business of mobike bikes to cut costs. Although according to the company's plan, Moby bikes in Southeast Asia were closed, their operations in Northeast Asia, Latin America and Europe were maintained through local partners.
However, when contacted to talk about this security vulnerability, it seems that no one is willing to assume ownership -- or responsibility for the exposed data.
When techcrunch contacted meituan, meituan spokesman Xiang Xi said that the company "has nothing to do with this matter" because it sold the Latin American business of mobike bikes in august2019, but refused to disclose who acquired the company on the grounds of confidentiality agreement, which makes it more difficult to know who to contact about the exposed customer data.
However, many of the documents in the exposed data bucket were before August 2019, when meituan was said to still hold the ownership of the Moby bike.
Techcrunch contacted some public and private email addresses known to be related to mobike bikes. Many emails were not answered, while others bounced back with error messages, saying that the emails sent by this media could not be delivered. Techcrunch sent a number of messages containing the website of the exposed data bucket to the Moby bike customer support number on WhatsApp, but no response was received.
By the end of May, the data bucket had been protected. It is not clear who protected it. In addition, I don't know how long the barrel has been exposed -- I don't even know how the contents of the barrel began to be made public. Because Amazon's buckets are private by default, the people who control them must change their permissions to allow public access.
At the time of writing this report, mobike did not make a statement about this safety incident on its website or any social media - in fact, mobike has not released relevant information since 2019.