A security breach at bicycle-sharing operation oBike has exposed the personal information of users in Singapore and 13 other countries.

A spokesperson for the company said the data leak “stemmed from a gap in our [application programming interface] that allowed users to refer a friend to our platform.” With the oBike app, users can send invitation codes and share finished rides on their social networks. It’s through this process that users unknowingly gave the app access to their personal information. Only the app didn’t properly safeguard that data, which means criminals could have stolen it and could eventually leverage it to commit identity fraud.

The breach lasted at least two weeks. It might date as far back as June 2017, however, as this case of information leakage documents. Ultimately, oBike patched a second vulnerability on 29 November 2017.

A spokesperson for the company says oBike wasted no time in responding to the breach. As quoted by CNET:

We were made aware of the issue, and worked quickly to resolve it immediately. This only affected a small handful of our users. The personal data that was exposed was limited to user names, email addresses and mobile numbers. The app does not store credit card details or passwords of users.

OBike in Taitung. (Source: Wikipedia)

They went on to say that the company also disabled the API and added extra security layers to protect users’ information.

In January 2017, oBike first implemented its bicycle-sharing platform in Singapore. It’s a dockless system, which means users with the mobile app can scan an eligible bike to use it and to then drop it off in a public bike-parking area when they’re done. oBike also operates in Australia, Malaysia, Switzerland, Germany, the UK, and elsewhere.

The company might have fixed the security issue, (Read more...)