DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

12,000+ Indian blood donors’ PII and passwords leaked

Posted on June 12, 2020 by Dissent

CloudSEK reports:

CloudSEK has discovered a data leak that contains sensitive information of 12,472 blood donors registered on http://www.indianblooddonors.com/index.php. Indian Blood Donors is an organization that maintains a free database of blood donors. They also have an app, which matches recipients with the nearest donor, based on blood type.

Discovery of the leak

A CloudSEK researcher discovered posts on 2 forums advertising a database of Indian blood donors registered on http://www.indianblooddonors.com/index.php. The posts claimed that the database, which contains donors’ Personally Identifiable Information (PII), blood type, and passwords in plain text, was available for free. So, we were able to obtain the complete database at no cost to validate its contents.

Read more on CloudSEK.

An online Indian bloodbank leaking donor info that winds up being given away on forums frequented by hackers and criminals? Shocking!

Oh wait, it’s not shocking. It’s happened before. In 2019, I reported on another onlinebloodbank that wouldn’t respond to notifications. I was therefore not surprised when eventually their data showed up on an online forum for sharing and selling databases. Has their data actually been misused by criminals? I do not not know, but I would not be surprised if it had been at least misused for spam purposes.

But I also noticed that like my experience with the first online bloodbank, it appears that IndianBloodDonors.com also failed to respond to notifications while leaving donors at risk. As CloudSEK reports, the passwords are not hashed, “meaning anybody can log into a donor’s account, on the Indian Blood Donors website or app, and alter their details or act on their behalf.” And as importantly, since people tend to reuse passwords, the credentials obtained from this database can be used for attacks on other sites.

I know that there are people in India working on getting better data protection for personal and health information. I also know that this seems to be a widespread problem in India, as I replied to Sai Krishna Kothapalli, who wrote, How screwed is Indian healthcare data?

It’s very screwed.  Very, very, very, very, VERY screwed from a data protection perspective. As is other Indian personal data.

Would it be appropriate to say that “thoughts and prayers” are with those trying to get entities in India to lock down their data and to respond when whitehats try to notify them of problems?


Related:

  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea's largest guarantee insurer
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • Global operation targets NoName057(16) pro-Russian cybercrime network in Operation Eastwood
  • More than 100 British government personnel exposed by Ministry of Defence data leak
  • New TeleMessage SGNL Flaw Is Actively Being Exploited by Attackers
Category: Commentaries and AnalysesExposureHealth DataNon-U.S.

Post navigation

← Cybereason’s Newest Honeypot Shows How Multistage Ransomware Attacks Should Have Critical Infrastructure Providers on High Alert
Russia says Germany has not provided any evidence of Bundestag hack →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Qantas obtains injunction to prevent hacked data’s release
  • Ransomware attack disrupts Korea’s largest guarantee insurer
  • Theft from Glasgow’s Queen Elizabeth University Hospital sparks probe
  • Global operation targets NoName057(16) pro-Russian cybercrime network in Operation Eastwood
  • More than 100 British government personnel exposed by Ministry of Defence data leak
  • New TeleMessage SGNL Flaw Is Actively Being Exploited by Attackers
  • North Country Healthcare responds to Stormous’s claims of a breach
  • Gladney Adoption Center had serious data exposures in the past few months. What will they do to prevent more?
  • Former U.S. Soldier Pleads Guilty to Hacking and Extortion Scheme Involving Telecommunications Companies
  • DOGE Denizen Marko Elez Leaked API Key for xAI

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Meta investors, Zuckerberg reach settlement to end $8 billion trial over Facebook privacy violations
  • ICE is gaining access to trove of Medicaid records, adding new peril for immigrants
  • Microsoft can’t protect French data from US government access
  • Texas Enacts Electronic Health Record Data Localization Law
  • Upstate NY county clerk again refuses to enforce Texas abortion judgment
  • Attorney General James Leads Coalition Urging Congress to Protect Americans from Masked ICE Agents
  • Attorney General Tong Announces $85,000 Settlement with TicketNetwork for Violations of the Connecticut Data Privacy Act​

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.
Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report