A significant bug in Rapido, an Indian bike-taxi aggregator app has exposed sensitive personal data of thousands of users and drivers across the country. The leaked information included full names, phone numbers, and email addresses, which has raised serious privacy and security concerns.

The Rapido data breach highlights the critical importance of robust data security practices for companies handling user information. While the company has addressed the issue, the incident highlights the growing risks of data leaks in India’s rapidly expanding digital economy.

Bug found in feedback form API

The vulnerability was discovered by Indian security researcher Renganathan P, who identified a flaw in the feedback form on Rapido’s website. This form, which was used for collecting feedback from auto-rickshaw users and drivers, relied on an API that inadvertently shared sensitive details with an external third-party service.

Security risks of exposed data

The exposed data posed a significant risk, which was potentially enabling the cybercriminals to launch large-scale social engineering attacks or sell the information on the dark web.

1,800 Feedback forms affected

The researcher further warned that this could lead to phishing scams or other malicious activities targeting users and drivers.

Over 1,800 feedback forms, which contained sensitive information like phone numbers and email addresses, were accessible due to the bug. This included the contact details of drivers, compounding the security threat.

Rapido’s response

Rapido acted swiftly by setting the exposed portal to private upon learning about the breach. A company spokesperson downplayed the severity, claiming that the exposed data was "non-personal" and attributing the issue to survey links reaching unintended users.

Broader implications for data privacy

This incident follows closely on the heels of another data breach involving McDonald’s India (West and South), where a bug in its delivery system exposed customer and delivery partner data, including names, phone numbers, and email addresses. That bug, discovered in July, was fixed in late September.

