Data breach affects all customers of major car-sharing company

The executives of CityBee, a car-sharing company operating in Lithuania, acknowledged a security incident that resulted in customers’ data breach, including their login credentials; the compromised information is available on an illegal dark web forum for sale. This is a widely recognized company in Lithuanian territory, renting cars, skates, bicycles and even buses for its clients.

The alleged threat actor behind this incident claims that one of the company’s website backups was exposed on the Internet without the slightest security measures, so any user could have accessed this information; the database contains more than 110,000 records with personal data such as:

  • Full names
  • User codes
  • Phone numbers
  • Addresses
  • Email addresses
  • Driver’s license details
  • Encrypted passwords, among other details

A sample of information shared by this individual on dark web shows only some email addresses, hashed passwords and the names of some affected users, so it is understood that the rest of the compromised information is for sale.

The hacker later mentioned that they were unaware that CityBee was such a large company, although he also mentions that his security measures were really poor considering the volumes of confidential information they collect from his clients: “The little security in CityBee is alarming; I’ve seen information being extracted from other companies because of these mistakes and companies haven’t even heard about this situation. When we do a quick search for some CNAME records we find really interesting information and we’ll probably find more.”

Shortly after the publication of some reports the company acknowledged the incident through a statement on its official Facebook page. Hours later CityBee released an update mentioning that this database was out of date, as it contained only user information registered before February 2018.  

Moreover, the company mentions that the financial details of its clients are completely safe, as the company does not store these records. Even so, active users of the platform were advised to reset their passwords as an additional security measure, preventing dictionary attacks and credential padding. Enabling the multi-factor authentication feature available in CityBee is also recommended. To learn more about information security risks, malware, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) website.