12,000+ Indian blood donors’ PII and passwords leaked

CloudSEK has discovered a data leak that contains sensitive information of 12,472 blood donors registered on http://www.indianblooddonors.com/index.php. Indian Blood Donors is an organization that maintains a free database of blood donors. They also have an app, which matches recipients with the nearest donor, based on blood type.  

Discovery of the leak

A CloudSEK researcher discovered posts on 2 forums advertising a database of Indian blood donors registered on http://www.indianblooddonors.com/index.php. The posts claimed that the database, which contains donors’ Personally Identifiable Information (PII), blood type, and passwords in plain text, was available for free. So, we were able to obtain the complete database at no cost to validate its contents.  

The contents of the leak

The complete database contains 12,472 records and each record has the following fields:

• • REC ID
  • STD code
  • Blood Group
  • Mobile Number
  • Name
  • Email ID
  • Last Contacted Date
  • Pin code
  • Registration date
  • Counter
  • Password in plain text 

Data verification and validation 

Since the data was being shared for free, the possibility of it being fake was not far-fetched.  However, using public sources, we were able to verify various fields in the data dump and found that it is authentic and belongs to http://www.indianblooddonors.com. 

Impact 

1. Threat actors can use the PII in the data dump to orchestrate phishing campaigns, online and offline scams, and even identity theft. 
2. Since the passwords are not hashed, anybody can log into a donor’s account, on the Indian Blood Donors website or app, and alter their details or act on their behalf. 
3. Since people are known to use the same password for multiple accounts, threat actors could use credential re-use attacks to compromise their email, banking, or other online accounts. 

Next Steps

The donors need to:

1. Change their Indian Blood Donors account password at the earliest. 
2. Update other accounts that use the same password. 
3. Verify that their details have not been altered in the Indian Blood Donors’ website.
4. Review all online accounts for suspicious activity. 
5. Ask friends and family to be cautious of suspicious emails from their accounts. 

Indian Blood Donors should:

1. Identify the source of the leak and fix the vulnerability at the earliest.
2. Start storing only hashed passwords
3. Get an SSL certificate for the site to upgrade it from HTTP to HTTPS.  

Disclosure

We notified Indian Blood Donors and CERT India about the leak. While CERT India has responded, saying that necessary action is being taken, Indian Blood Donors has not responded, at the time of publishing this article. If we receive a reply, it will be duly updated here.