The Indian arm of Durex has suffered a security breach that saw a hoard of sensitive customer data stolen.
A security researcher by the name of Sourajeet Majumder reached out to TechCrunch recently with the news of the leak at the company’s Indian operation. He noted the website for Durex India lacked proper authentication on its order confirmation page, which made it possible for unauthenticated users to access private customer data.
The data includes customer names, phone numbers, email addresses, shipping addresses, the products ordered and the amount paid.
Confirmed claims
We don’t know exactly how many people are affected by this error, but apparently, they are in the hundreds.
“For a brand dealing with intimate products, ensuring privacy is crucial,” Majumder said.
TechCrunch says it has managed to confirm the researcher’s claims, and says the data is still available and that the exploit can still be replicated. Because of that, the details of the error are being withheld until Durex India fixes the issue.
Following his discovery, Majumder reached out to India’s Computer Emergency Response Team (CERT-In) which “acknowledged his email.”
“Affected customers can also become victims of social harassment or moral policing because of this leak,” he said. They can also be targeted by convincing phishing emails, impersonating Durex and tricking people into downloading malware, giving away payment data, or more.
So far, neither Durex, nor its parent company Reckitt, discussed securing the information, despite being asked by the publication. At the moment, we don’t know if any malicious actors discovered the data, or managed to exfiltrate it, but given that the news is now out there, and that the bug can be replicated, it’s safe to assume that it is only a matter of time.