CloudSEK has discovered a data leak that contains sensitive information of 12,472 blood donors registered on http://www.indianblooddonors.com/index.php. Indian Blood Donors is an organization that maintains a free database of blood donors. They also have an app, which matches recipients with the nearest donor, based on blood type.
A CloudSEK researcher discovered posts on 2 forums advertising a database of Indian blood donors registered on http://www.indianblooddonors.com/index.php. The posts claimed that the database, which contains donors’ Personally Identifiable Information (PII), blood type, and passwords in plain text, was available for free. So, we were able to obtain the complete database at no cost to validate its contents.
The complete database contains 12,472 records and each record has the following fields:
Since the data was being shared for free, the possibility of it being fake was not far-fetched. However, using public sources, we were able to verify various fields in the data dump and found that it is authentic and belongs to http://www.indianblooddonors.com.
We notified Indian Blood Donors and CERT India about the leak. While CERT India has responded, saying that necessary action is being taken, Indian Blood Donors has not responded, at the time of publishing this article. If we receive a reply, it will be duly updated here.