Indian at-home salon platform Yes Madam exposed the sensitive data of its customers and gig workers due to a server-side misconfiguration.
Noida-based Yes Madam operates in more than 30 cities in the country, according to the firm’s website. The platform offers salon services at home, including therapies, massage, spa and male grooming. Yes Madam’s mobile apps also attracted over a million downloads.
But the startup left a database containing full names, mobile numbers, mailing addresses and email addresses of hundreds of thousands of Yes Madam customers connected to the internet without a password since at least February 20. The database also included customers’ location data, including their latitude and longitude values, as well as payment links, and user device details, such as the model names and IMEI numbers.
Additionally, the startup exposed profile images, names and mobile numbers of gig workers on the platform.
Security researcher Anurag Sen of CloudDefense.ai found the exposed database and asked TechCrunch to help report it to the startup.
Anyone familiar with the database’s IP address could access the spilling data due to the misconfiguration using just their web browser. Sen said the database had entries of more than 900,000 users.
Yes Madam secured the database on Friday, shortly after TechCrunch reached out with details. Yes Madam co-founder Mayank Arya confirmed to TechCrunch that it had put in place a fix.
When asked if Yes Madam had the technical means, such as logs, to determine whether the exposed data was accessed by anyone else, Arya did not comment further.
Sen also informed India’s computer emergency response team CERT-In, the lead agency for handling cybersecurity issues in the country, about the data exposure.