Thousands of Brazilians at Risk Due to a Bus Transportation Mobile App Data Leak

Reading time: 5 min

First published: Nov 23, 2020

Updated 2 times since publishing

WizCase found a serious data breach from a Brazilian company that sells bus tickets online in Brazil, Guiche Virtual. The 26GB of leaked data exposed over 3.6 million emails (including duplicates) and at least 17,000 entries with personal information, such as full names, hashed s, and addresses. We have disclosed the leak to the company involved as well as to the Brazilian CERT and the server is now secured.

What’s Going On?

Our team of white-hat hackers discovered an open ElasticSearch database that belonged to Guiche Virtual.

Guiche Virtual is a Brazillian business that provides online bus ticket booking across the country through different bus companies. The service is distributed online via mobile apps — Guiche Virtual on iOS and Guiche Estrada on Android. It seems that the leaked data contains information collected from both platforms as well as data from the company’s online platform. Though the company is located in Brazil, the vulnerable server was hosted in the US.

The leak exposed detailed information ers’ private data and activity, including:

  • Full names
  • Email addresses
  • Hashed s
  • CNPJ Brazilian tax identification number
  • Home address with postal code
  • Phone number
  • port numbers
  • Detailed travel information for each , such as destination, ticket cost, and seat purchased
  • Email correspondence

How Did It Happen and Whose Data Was Available?

Guiche Virtual stored a lot of its data on an ElasticSearch server. By default, installing an ElasticSearch engine on a server comes with no access authentication enabled. This means that if the server is connected to the open web, it automatically becomes available to anyone with access to the internet. The default settings don’t apply the authorization as ElasticSearch servers are originally designed to be used only on internal networks. However, many s aren’t aware of this detail and, as a result, don’t set up authentication or IP whitelisting.

The unsecured database exposed over 26GB of data with approximately 17,000 Personal Identifiable Information (PII) and 3.6 million emails, including duplicates. The total size of the leaked data kept changing as the database server was live and updated daily. Since the company is located in Brazil, it seems that most of its s were also Brazilian.

What Are The Risks and What Should I Do Now?

Any data leak, regardless of what company it happens to, is a potential significant privacy breach that puts everyone involved at huge risks of being targeted by cybercriminals and scammers. Guiche Virtual leak exposed viable information about thousands of s, including their home addresses and even some port details.

This compromised data may lead to many threats, such as:

  • Identity theft and fraud: Many parts of leaked personal data, such as port numbers and hashed s, could be used by attackers in identity fraud across different establishments and websites. The leaked s could also potentially be cracked and tested alongside exposed email addresses across various platforms. Cyber attackers are likely to do that in order to check for reusability — successful attempts would provide them with an abundance of additional information.
  • Phishing scams and malware distribution: Email addresses and phone numbers revealed in the leak could be targeted with scam calls, phishing messages, and malicious correspondence. Scammers could use the victims’ personal information to gain their trust and encourage click-throughs as well as malware s.
  • Business espionage: Competitor companies could use the exposed data to target Guiche Virtual s and increase their conversion rate. These attempts include sending personalized emails with attractive benefits to new s that could encourage them to swap to a different platform.

Anyone who has used Guiche Virtual should be on the lookout for suspicious emails and phone calls. Phishing attempts always try to mimic trustworthy organizations, such as banks or insurance companies, but you can spot certain differences in the sender’s address upon further inspection. However, if you’re even in doubt about an email’s credibility, you can check directly with the company you think sent it. On top of that, watch out for “too good to be true” scams that ask for any personal information as these could be social engineering attempts.

Additionally, you may want to enable two-factor authentication on your online s, including social media profiles. This can help prevent attackers from gathering extra information about you, even if they successfully crack leaked hashed s. With two-factor authentication turned on, you’ll receive a notification as soon as someone unauthorized tries to access any of your profiles.

Always that once your data is shared online, it’s always likely to be involved in an online data leak. That’s why you should limit the amount of information you post to the bare minimum.

Why Should I Trust WizCase?

WizCase is a widely popular web security platform offering advice and tips for thousands of readers every week. Translated into over 30 languages, our website has gained the trust of a wide number of people worldwide. Our team regularly discovers new data breaches across the internet and s them to companies responsible for them prior to publishing any reports. Together, we’re working hard towards creating a safer online environment for everyone.

In this case, we reached out not only to Guiche Virtual, but also Brazillian Computer Emergency Response Team (CERT). The latter sent us a response email explaining they ed the company and helped with securing the misconfigured server.

We review vendors based on rigorous testing and research, and also take into your and our commission with providers. Some providers are owned by our parent company.
Learn more

Wizcase was established in 2018 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, Intego and Private Internet Access which may be ranked and reviewed on this website. The reviews published on Wizcase are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into the technical capabilities and qualities of the product together with its commercial value for s. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Cyber Research Team
Written By Cyber Research Team
The WizCase Cybersecurity Research Team aims to investigate and uncover the latest threats on the internet. The global research team uses ethical hacking methods to shine a light on data breaches, privacy leaks, and security flaws within online communities and organizations.
Did you like this article? Rate it!
I hated it I don't really like it It was ok Pretty good! Loved it!

We're thrilled you enjoyed our work!

As a valued reader, would you mind giving us a shoutout on Trustpilot? It's quick and means the world to us. Thank you for being amazing!

Rate us on Trustpilot
3.90 Voted by 3 s
Title
Comment
Thanks for your
Loader
Please wait 5 minutes before posting another comment.
Comment sent for approval.

Leave a Comment

Loader
Loader Show more...