Indian ride-hailing company Rapido has suffered a significant data breach that exposed sensitive personal information of over 1,800 users and drivers. The breach, discovered by security researcher Renganathan P, was linked to a vulnerability in the company’s website feedback form. This flaw allowed access to an API that stored customer details, including full names, email addresses, and phone numbers, which were unintentionally left public.
The exposed API was designed to collect user feedback and send it to a third-party service provider but lacked necessary privacy protections. TechCrunch verified the flaw by testing the feedback form, which confirmed that inputted details were stored in a publicly accessible portal. This oversight raised serious concerns about the potential misuse of personal information.
The breach exposed both users and drivers to risks such as phishing scams and social engineering attacks. Experts warned that malicious actors could exploit the leaked data to impersonate Rapido representatives, leading to further security issues. Renganathan highlighted the need for better API protection measures to prevent such lapses in the future.
Following the discovery, Rapido responded by securing the exposed portal and making it private. In a statement, CEO Aravind Sanka acknowledged the incident, explaining that the feedback portal was managed by an external vendor and had unintentionally reached unauthorized users. “As part of our standard operating procedures, we are addressing this to ensure it does not happen again,” Sanka stated.
In the wake of the breach, the company urged its users and drivers to remain vigilant against potential scams. Security experts advised users to strengthen their passwords, avoid sharing sensitive information over calls or emails, and report any suspicious activities linked to their Rapido accounts.
This incident highlights the increasing importance of robust data security practices, particularly for companies handling large amounts of user and driver information. While Rapido’s quick response is commendable, the breach serves as a stark reminder for organizations to prioritize privacy and ensure thorough vetting of third-party services handling sensitive data.