China-based lend company Moneed’s unprotected database has exposed phone numbers and names of millions of Indians. Security researcher Anurag Sen found this database on an open elastic …

China-based lend company Moneed’s unprotected database has exposed phone numbers and names of millions of Indians. Security researcher Anurag Sen found this database on an open elastic …

China-based lending company Moneeds unprotected database has exposed the names and phone numbers of millions of Indians, putting them at risk of identity theft. Security researcher Anurag Sen found this database on an open elastic server that had more than 389 million phonebook records. Moneed has offices in Hangzhou, New Delhi, and Hong Kong.
Sen told TNW that the data is stored on a server provided by Hangzhou Alibaba advertising co. ltd in China. The discovery comes in the wake of anti-China sentiments across government authorities and citizens in India who are wary of its powerful neighbors operations in cyberspace. Recently, India banned 59 Chinese apps including TikTok for allegedly stealing and surreptitiously transmitting users data in an unauthorized manner to servers which have locations outside India.
Looking at the database entries, especially names, the app seems to have uploaded phonebooks of people who mightve installed Moneeds apps. The company has two  Android apps for securing loans, called Moneed and Momo on the Play Store,  both of them have more than a million downloads. Both of these apps ask for a ton of permission including contacts, phone, storage, and location.
Shockingly, I managed to find my own contact details in the database. However, there were three entries against the same phone number; its likely that different users will have saved my number against different names for that contact.
Records from Moneed database
The database contained data gathered between August 2019 and July 2020. Despite multiple emails to Moneed, we received no reply at the time of writing. We contacted the host of the server, and the Alibaba Security Response Center (ASRC) took the database offline for security.
Meanwhile, Moneeds loan service itself appears to be in violation of Googles app store policy. You can apply for a short-term loan for a tenure of 14 or 28 days. However, Googles developer policy states that the company doesnt allow apps that demand full repayment of loans in under 60 days. Weve reached out to the company for an explanation, and well update the story when we hear back.
In the past few months, severalreports have noted that Moneed and several other Chinese microloan apps have been harassing borrowers in India for repayment. One of the methods these companies use is reportedly to call borrowers family and friends to ask for money. They also create a WhatsApp group with the borrowers family to ask for their whereabouts.
In this tense political climate, its worrisome that the data of so many Indian citizens were captured and stored on a foreign server without explicit consent or disclosure. Recently, Cyble reported that more than 150,000 IDs of Indians were leaked on the dark web by a Mandarin-speaking actor.
Moreover, despite such a large amount of data store on the database, there were no security precautions. Furthermore, this data could be used for illegal extortion of money or other malicious purposes. The company has a responsibility to keep customer data safe and respond to security threats in a timely manner and it has clearly failed them in this case.
Pssst, hey you!
Do you want to get the sassiest daily tech newsletter every day, in your inbox, for FREE? Of course you do: sign up for Big Spam here.

Share