Update (17/08/2020): Moneed issued a statement stating that it follows all laws and regulations of India. While the company didn’t acknowledge the data breach, it said that the team has taken suggestions from cybersecurity researchers for “strengthening our firewall and security protection to completely meet the standards and requirements according to the laws and regulations set forth by authorities.”
— Moneed (@Moneed9) August 14, 2020
China-based lending company Moneed’s unprotected database has exposed the names and phone numbers of millions of Indians, putting them at risk of identity theft. Security researcher Anurag Sen found this database on an open elastic server that had more than 389 million phonebook records. Moneed has offices in Hangzhou, New Delhi, and Hong Kong.
Sen told TNW that the data is stored on a server provided by Hangzhou Alibaba advertising co. ltd in China. The discovery comes in the wake of anti-China sentiments across government authorities and citizens in India who are wary of its powerful neighbor’s operations in cyberspace. Recently, India banned 59 Chinese apps including TikTok for allegedly “stealing and surreptitiously transmitting users’ data in an unauthorized manner to servers which have locations outside India.”
Looking at the database entries, especially names, the app seems to have uploaded phonebooks of people who might’ve installed Moneed’s apps. The company has two Android apps for securing loans, called Moneed and Momo on the Play Store, — both of them have more than a million downloads. Both of these apps ask for a ton of permission including contacts, phone, storage, and location.
Shockingly, I managed to find my own contact details in the database. However, there were three entries against the same phone number; it’s likely that different users will have saved my number against different names for that contact.
The database contained data gathered between August 2019 and July 2020. Despite multiple emails to Moneed, we received no reply at the time of writing. We contacted the host of the server, and the Alibaba Security Response Center (ASRC) took the database offline for security.
Meanwhile, Moneed’s loan service itself appears to be in violation of Google’s app store policy. You can apply for a short-term loan for a tenure of 14 or 28 days. However, Google’s developer policy states that the company doesn’t allow apps that demand full repayment of loans in under 60 days. We’ve reached out to the company for an explanation, and we’ll update the story when we hear back.
In the past few months, several reports have noted that Moneed and several other Chinese microloan apps have been harassing borrowers in India for repayment. One of the methods these companies use is reportedly to call borrowers’ family and friends to ask for money. They also create a WhatsApp group with the borrower’s family to ask for their whereabouts.
In this tense political climate, it’s worrisome that the data of so many Indian citizens were captured and stored on a foreign server without explicit consent or disclosure. Recently, Cyble reported that more than 150,000 IDs of Indians were leaked on the dark web by a Mandarin-speaking actor.
Moreover, despite such a large amount of data store on the database, there were no security precautions. Furthermore, this data could be used for illegal extortion of money or other malicious purposes. The company has a responsibility to keep customer data safe and respond to security threats in a timely manner — and it has clearly failed them in this case.