Update (08/17/2020): Moneed has issued a statement saying it complies with all laws and regulations in India. Although the company did not acknowledge the data breach, it said the team took into account cybersecurity researchers’ suggestions to “strengthen our firewall and security protection to fully meet standards and requirements in accordance with laws and regulations established by the authorities “.
– Moneed (@ Moneed9) August 14, 2020
China-based loan firm Moneed’s unprotected database revealed names and phone numbers of millions of Indians, putting them at risk of identity theft. Security researcher Anurag Sen found this database on an open elastic server which had over 389 million directory records. Monéed has offices in Hangzhou, New Delhi and Hong Kong.
Sen told TNW that the data is stored on a server provided by Hangzhou Alibaba advertising co. Ltd in China. The discovery comes in the wake of anti-Chinese sentiments from government officials and Indian citizens who are wary of its powerful neighbor’s operations in cyberspace. Recently India banned 59 Chinese apps including TikTok for allegedly “stealing and surreptitiously transmitting user data in an unauthorized manner to servers outside India”.
Looking at the database entries, especially the names, the app appears to have downloaded directories of people who might have installed Moneed’s apps. The company has two Android apps for guaranteeing loans, called Monéed and Momo on the Play Store, – both have over a million downloads. Both of these apps ask for a ton of permissions, including contacts, phone, storage, and location.
Surprisingly, I managed to find my own contact details in the database. However, there were three entries against the same phone number; it is likely that different users have saved my number under different names for this contact.
The database contained data collected between August 2019 and July 2020. Despite several emails to Moneed, we have not received any response at the time of writing. We contacted the host of the server and the Alibaba Security Response Center (ASRC) took the database offline for security reasons.
Meanwhile, Moneed’s loan service itself appears to be in violation of Google’s App Store policy. You can apply for a short term loan for 14 or 28 days. however, Google’s development policy states that the company does not allow applications that require full repayment of loans in less than 60 days. We have contacted the company for an explanation, and will update the story when we have a response.
In recent months, manyreports noted that Moneed and several other Chinese microcredit apps harass borrowers in India for repayment. One of the methods used by these companies would be to call the family and friends of borrowers to ask them for money. They also create a WhatsApp group with the borrower’s family to ask where they are.
In this tense political climate, it is worrying that the data of so many Indian citizens has been captured and stored on a foreign server without explicit consent or disclosure.. Recently, Cyble reported that more than 150,000 Indian IDs have been disclosed on the dark web by a Mandarin speaking actor.
Also, despite such a large amount of data stored in the database, there was no security precaution. In addition, this data could be used for illegal extortion of money or other malicious purposes. The company has a responsibility to protect customer data and respond to security threats in a timely manner – and it has clearly failed them in this case.