12,000+ Indian blood donors’ PII and passwords leaked
CloudSEK has discovered a data leak that contains sensitive information of 12,472 blood donors registered on http://www.indianblooddonors.com/index.php. Indian Blood Donors is an organization that maintains a free database of blood donors. They also have an app, which matches recipients with the nearest donor, based on blood type.
Discovery of the leak
A CloudSEK researcher discovered posts on 2 forums advertising a database of Indian blood donors registered on http://www.indianblooddonors.com/index.php. The posts claimed that the database, which contains donors’ Personally Identifiable Information (PII), blood type, and passwords in plain text, was available for free. So, we were able to obtain the complete database at no cost to validate its contents.
Read more on CloudSEK.
An online Indian bloodbank leaking donor info that winds up being given away on forums frequented by hackers and criminals? Shocking!
Oh wait, it’s not shocking. It’s happened before. In 2019, I reported on another onlinebloodbank that wouldn’t respond to notifications. I was therefore not surprised when eventually their data showed up on an online forum for sharing and selling databases. Has their data actually been misused by criminals? I do not not know, but I would not be surprised if it had been at least misused for spam purposes.
But I also noticed that like my experience with the first online bloodbank, it appears that IndianBloodDonors.com also failed to respond to notifications while leaving donors at risk. As CloudSEK reports, the passwords are not hashed, “meaning anybody can log into a donor’s account, on the Indian Blood Donors website or app, and alter their details or act on their behalf.” And as importantly, since people tend to reuse passwords, the credentials obtained from this database can be used for attacks on other sites.
I know that there are people in India working on getting better data protection for personal and health information. I also know that this seems to be a widespread problem in India, as I replied to Sai Krishna Kothapalli, who wrote, How screwed is Indian healthcare data?
It’s very screwed. Very, very, very, very, VERY screwed from a data protection perspective. As is other Indian personal data.
Would it be appropriate to say that “thoughts and prayers” are with those trying to get entities in India to lock down their data and to respond when whitehats try to notify them of problems?