Bike-sharing provider oBike suffers global data breach

SINGAPORE: Local bike-sharing service provider oBike had suffered a global security breach that lasted at least two weeks, resulting in user data being leaked online. 

According to a recent report by Bavarian news agency BR24, user data that could be accessed online include names, mobile phone numbers, email addresses, profile pictures and the routes they took when they rented the bicycles. It added that the data was not encrypted or protected.

It stated in the report that these data did not just affect users in Germany, but also users from others such as Singapore, Malaysia, Switzerland and Great Britain. 

An oBike spokesperson confirmed the incident saying it was “made aware of the issue and worked quickly to resolve it immediately”, although she did not reveal when the breach took place, and when the company resolved the breach. 

The company said the issue “stemmed from a gap in our API (application programming interface) that allowed users to refer a friend to our platform“.

“We have since fixed the loophole by disabling the API and created additional security layers,” the spokesperson said.

“This only affected a small handful of our users. The personal data that was exposed was limited to user names, email addresses and mobile numbers. The app does not store credit card details or passwords of users,” she added, but did not reveal how many users were affected.

The spokesperson did point out that “five markets” including Singapore were impacted.

The company also said it is re-looking the sharing and security functions of the app, to ensure that no further user data is compromised.

The bike-sharing company officially launched its service in Singapore this April, but its international footprint has expanded since to include Malaysia, Australia, UK, the Netherlands, Switzerland, Taiwan, South Korea, Germany, Austria, Thailand and Belgium, according to its website.