DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

12,000+ Indian blood donors’ PII and passwords leaked

Posted on June 12, 2020 by Dissent

CloudSEK reports:

CloudSEK has discovered a data leak that contains sensitive information of 12,472 blood donors registered on http://www.indianblooddonors.com/index.php. Indian Blood Donors is an organization that maintains a free database of blood donors. They also have an app, which matches recipients with the nearest donor, based on blood type.

Discovery of the leak

A CloudSEK researcher discovered posts on 2 forums advertising a database of Indian blood donors registered on http://www.indianblooddonors.com/index.php. The posts claimed that the database, which contains donors’ Personally Identifiable Information (PII), blood type, and passwords in plain text, was available for free. So, we were able to obtain the complete database at no cost to validate its contents.

Read more on CloudSEK.

An online Indian bloodbank leaking donor info that winds up being given away on forums frequented by hackers and criminals? Shocking!

Oh wait, it’s not shocking. It’s happened before. In 2019, I reported on another onlinebloodbank that wouldn’t respond to notifications. I was therefore not surprised when eventually their data showed up on an online forum for sharing and selling databases. Has their data actually been misused by criminals? I do not not know, but I would not be surprised if it had been at least misused for spam purposes.

But I also noticed that like my experience with the first online bloodbank, it appears that IndianBloodDonors.com also failed to respond to notifications while leaving donors at risk. As CloudSEK reports, the passwords are not hashed, “meaning anybody can log into a donor’s account, on the Indian Blood Donors website or app, and alter their details or act on their behalf.” And as importantly, since people tend to reuse passwords, the credentials obtained from this database can be used for attacks on other sites.

I know that there are people in India working on getting better data protection for personal and health information. I also know that this seems to be a widespread problem in India, as I replied to Sai Krishna Kothapalli, who wrote, How screwed is Indian healthcare data?

It’s very screwed.  Very, very, very, very, VERY screwed from a data protection perspective. As is other Indian personal data.

Would it be appropriate to say that “thoughts and prayers” are with those trying to get entities in India to lock down their data and to respond when whitehats try to notify them of problems?

Related posts:

  • 1,355 Indian websites Hacked by hax.r00t n saadi Pakistani hackers
Category: Commentaries and AnalysesExposureHealth DataNon-U.S.

Post navigation

← Cybereason’s Newest Honeypot Shows How Multistage Ransomware Attacks Should Have Critical Infrastructure Providers on High Alert
Russia says Germany has not provided any evidence of Bundestag hack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Armenian National Extradited to the United States Faces Federal Charges for Ransomware Extortion Conspiracy
  • 70% of healthcare cyberattacks result in delayed patient care, report finds
  • Police disrupt “Diskstation” ransomware gang attacking NAS devices
  • Meta fixes bug that could leak users’ AI prompts and generated content
  • Mississippi Law Firm Sues Cyber Insurer Over Coverage for Scam
  • Ukrainian Hackers Wipe 47TB of Data from Top Russian Military Drone Supplier
  • Computer Whiz Gets Suspended Sentence over 2019 Revenue Agency Data Breach
  • Ministry of Defence data breach timeline
  • Hackers Can Remotely Trigger the Brakes on American Trains and the Problem Has Been Ignored for Years
  • Ransomware in Italy, strike at the Diskstation gang: hacker group leader arrested in Milan

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Upstate NY county clerk again refuses to enforce Texas abortion judgment
  • Attorney General James Leads Coalition Urging Congress to Protect Americans from Masked ICE Agents
  • Attorney General Tong Announces $85,000 Settlement with TicketNetwork for Violations of the Connecticut Data Privacy Act​
  • Fourth Circuit upholds West Virginia ban on abortion pills
  • Meta fixes bug that could leak users’ AI prompts and generated content
  • The EU’s Plan To Ban Private Messaging Could Have a Global Impact (Plus: What To Do About It)
  • A Balancing Act: Privacy Issues And Responding to A Federal Subpoena Investigating Transgender Care

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.