Bicycle-sharing operator oBike stated that the company is reviewing the security of its application following a leak that affected its users’ data, such as names and ride locations, in 14 countries worldwide.
German broadcaster Bayerischer Rundfunk reported last week that unencrypted oBike user data were accessible online.
A spokesman for the Singapore-based firm said that it was made aware of the issue two weeks ago and has reacted quickly to resolve it immediately, adding that it affected only a handful of users.
He said, “As a tech company, users’ data and security are of paramount importance to us,” he said.
The man then added that credit card details and user passwords were not stored in the application and were not leaked.
A gap in the oBike app’s application programming interface (API) that allowed users to refer their friends to the firm’s services was said to be the cause of the leak.
According to the spokesman, the company has since fixed the loophole by disabling the API and created additional security layers.
He noted that the systems were now fully restored and secure.
While, a spokesman for Mobike said it had robust data management protocols in place to protect user data and that the company did not share users’ personal data with third parties without their consent.
The news of oBike’s user data leak came after the similar case occurred to ride-hailing giant Uber.
In November, a passenger posted her experience on her Facebook account, saying that more than 30 transactions were made in only five days amounting to a total of more than $1,300.
Uber chief executive Dara Khosrowshahi revealed on 21 November that hackers compromised personal data from some 57 million riders and drivers in a breach kept hidden for a year.
However, the company did not informed the authorities about the attack and paid hackers US$100,000 (S$135,000) to delete the compromised data instead.
Closer to home, the NRIC numbers of hundreds of Xinmin Secondary School students were leaked online last month.
Mr David Maciejak, security research director for cyber-security provider Fortinet, said, “The sad reality is that this kind of incident is getting more common,” adding that people should take steps to protect their own data, such as by using a virtual credit card, which provides users with a disposable credit card number.
Michael Smith, Akamai Technologies security chief technology officer, warned people against reusing passwords across multiple websites and applications, suggesting the use of password manager applications such as LastPass instead, in which it creates a private account where users can store encrypted passwords.
Observers said the increasing use of APIs, which allow various software components to communicate, means they are especially vulnerable to attack.
According to Mr Smith, though the use of APIs is becoming more important, there is less knowledge and history on how to secure them.
He said, “Over the past several years, we’ve seen attackers target APIs more frequently because they are perceived as being less protected than websites that are accessed with a browser.”
South-east Asia and Greater China senior director for security firm RSA, Mr Edward Lim, said there needs to be more stringent testing for APIs, adding, “For example, firms could incorporate vulnerability assessment at every major stage of the API development, instead of only upon completion of the apps.”
Asia-Pacific chief technology officer for network security firm F5 Networks, Mr Mohan Veloo, said APIs should be vetted to ensure that they do not give third parties an unnecessary level of authorisation rights and privileges that could be exploited by hackers, describing the use of APIs as a double-edged sword for companies.
“By using APIs, businesses inadvertently open up a back door to all their data,” he added.