CloudSEK has discovered a data leak that contains sensitive information of 12,472 blood donors registered on http://www.indianblooddonors.com/index.php. Indian Blood Donors is an organization that maintains a free database of blood donors. They also have an app, which matches recipients with the nearest donor, based on blood type.
Discovery of the leakA CloudSEK researcher discovered posts on 2 forums advertising a database of Indian blood donors registered on http://www.indianblooddonors.com/index.php. The posts claimed that the database, which contains donors’ Personally Identifiable Information (PII), blood type, and passwords in plain text, was available for free. So, we were able to obtain the complete database at no cost to validate its contents.
[caption id="attachment_6676" align="aligncenter" width="587"] Posts advertising the data leak on different forums[/caption]
The contents of the leakThe complete database contains 12,472 records and each record has the following fields:
- REC ID
- STD code
- Blood Group
- Mobile Number
- Email ID
- Last Contacted Date
- Pin code
- Registration date
- Password in plain text
Data verification and validationSince the data was being shared for free, the possibility of it being fake was not far-fetched. However, using public sources, we were able to verify various fields in the data dump and found that it is authentic and belongs to http://www.indianblooddonors.com.
- Threat actors can use the PII in the data dump to orchestrate phishing campaigns, online and offline scams, and even identity theft.
- Since the passwords are not hashed, anybody can log into a donor’s account, on the Indian Blood Donors website or app, and alter their details or act on their behalf.
- Since people are known to use the same password for multiple accounts, threat actors could use credential re-use attacks to compromise their email, banking, or other online accounts.
The donors need to:
- Change their Indian Blood Donors account password at the earliest.
- Update other accounts that use the same password.
- Verify that their details have not been altered in the Indian Blood Donors’ website.
- Review all online accounts for suspicious activity.
- Ask friends and family to be cautious of suspicious emails from their accounts.
Indian Blood Donors should:
- Identify the source of the leak and fix the vulnerability at the earliest.
- Start storing only hashed passwords
- Get an SSL certificate for the site to upgrade it from HTTP to HTTPS.