Yes Madam, an at-home salon start-up based in Noida, India, has reportedly exposed the sensitive data of its customers and gig workers due to a server-side misconfiguration. A security researcher named Anurag Sen claimed that a database containing the personal details of hundreds of thousands of customers was allegedly left connected to the internet without a password since at least February 20.
The database allegedly included customers' full names, mobile numbers, email addresses and physical addresses, as well as some location data such as latitude and longitude values, user device details and payment links. In addition, Yes Madam allegedly exposed profile images, names and mobile numbers of gig workers working for the platform. Sen reported the data exposure to the Indian Computer Emergency Response Team (CERT-In).
According to Sen, the database had data entries of more than 900,000 users and anyone with the database's IP address could access the data using just their web browser. Yes Madam reportedly secured the database on March 3 after being contacted by TechCrunch.
Founded in 2017 by Aditya and Mayank Arya, Yes Madam offers at-home salon services, including massage, spa, therapies, hair treatments and male grooming services. Its app has been downloaded more than a million times and the company operates in over 30 cities in India. Yes Madam raised $100,000 in funding in its pre-seed round.
This incident highlights the importance of properly securing databases that contain sensitive data. Companies must ensure that they have appropriate security measures in place to prevent unauthorised access to personal data. Failure to do so can result in significant harm to individuals and damage to a company's reputation. It is essential that companies take data security seriously and implement robust security measures to protect their customers' data.