Durex India accidentally leaks customers' personal data, order details
Durex India, the local arm of the UK-based condom and personal lubricants brand, has accidentally exposed its customers' private information. The security lapse was discovered by cybersecurity researcher Sourajeet Majumder and reported to TechCrunch. The compromised data includes full names of customers, their email addresses, phone numbers, shipping addresses as well as details about the products ordered, and the amount paid.
Security lapse due to improper authentication
The security breach was traced back to a lack of proper authentication on Durex India's order confirmation page. This oversight led to the exposure of sensitive customer information. While the exact number of impacted customers remains uncertain, Majumder found evidence that suggested that hundreds of people had their information exposed due to this lapse.
Company remains silent
TechCrunch independently verified Majumder's findings and confirmed that customer order details were still available online. The publication has chosen to withhold some details about the exposure to prevent aiding potential malicious actors. When contacted by TechCrunch about the exposed customer data, Ravi Bhatnagar, a spokesperson for Durex's parent company Reckitt, declined to comment or disclose if the firm plans to secure its customers' information.
Data breach could lead to identity theft, harassment
Majumder warned that the exposed data could be used for identity theft and the contact details may cause unwanted harassment. He also alerted India's Computer Emergency Response Team (CERT-In) about the security breach, which acknowledged his email. "Affected customers can also become victims of social harassment or moral policing because of this leak," Majumder told TechCrunch, emphasizing the potential risks associated with such data breaches.
