Home
Threat Intelligence Posts

12,000+ Indian blood donors’ PII and passwords leaked

The leaked database contains blood group, mobile number, email ID, password, among other information pertinent to registered donors.
Updated on
February 27, 2023
Published on
June 12, 2020
Read time
5
Subscribe to the latest industry news, technologies and resources.
CloudSEK has discovered a data leak that contains sensitive information of 12,472 blood donors registered on http://www.indianblooddonors.com/index.php. Indian Blood Donors is an organization that maintains a free database of blood donors. They also have an app, which matches recipients with the nearest donor, based on blood type.  

Discovery of the leak

A CloudSEK researcher discovered posts on 2 forums advertising a database of Indian blood donors registered on http://www.indianblooddonors.com/index.php. The posts claimed that the database, which contains donors’ Personally Identifiable Information (PII), blood type, and passwords in plain text, was available for free. So, we were able to obtain the complete database at no cost to validate its contents.  

[caption id="attachment_6676" align="aligncenter" width="587"]Posts advertising the data leak on different forums Posts advertising the data leak on different forums[/caption]  

The contents of the leak

The complete database contains 12,472 records and each record has the following fields:
    • REC ID
    • STD code
    • Blood Group
    • Mobile Number
    • Name
    • Email ID
    • Last Contacted Date
    • Pin code
    • Registration date
    • Counter
    • Password in plain text 

Data verification and validation 

Since the data was being shared for free, the possibility of it being fake was not far-fetched.  However, using public sources, we were able to verify various fields in the data dump and found that it is authentic and belongs to http://www.indianblooddonors.com

Impact 

  1. Threat actors can use the PII in the data dump to orchestrate phishing campaigns, online and offline scams, and even identity theft. 
  2. Since the passwords are not hashed, anybody can log into a donor’s account, on the Indian Blood Donors website or app, and alter their details or act on their behalf. 
  3. Since people are known to use the same password for multiple accounts, threat actors could use credential re-use attacks to compromise their email, banking, or other online accounts. 

Next Steps

The donors need to:
  1. Change their Indian Blood Donors account password at the earliest. 
  2. Update other accounts that use the same password. 
  3. Verify that their details have not been altered in the Indian Blood Donors’ website.
  4. Review all online accounts for suspicious activity. 
  5. Ask friends and family to be cautious of suspicious emails from their accounts. 
Indian Blood Donors should:
  1. Identify the source of the leak and fix the vulnerability at the earliest.
  2. Start storing only hashed passwords
  3. Get an SSL certificate for the site to upgrade it from HTTP to HTTPS.  

Disclosure

We notified Indian Blood Donors and CERT India about the leak. While CERT India has responded, saying that necessary action is being taken, Indian Blood Donors has not responded, at the time of publishing this article. If we receive a reply, it will be duly updated here. 

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Related Intelligence Posts
No items found.