Ola has been hacked again. Yes, they didn’t learn from their past. This time, hackers got access to credit card details and transaction history and un-used vouchers.
Hackers have posted about the hacking on a Reddit post with the snapshot to confirm the attack. They found the SQL injection vulnerability in the app and then exploited the SQL injection vulnerability to get the access to Ola’s database.
Above snapshots confirm that hackers got access to the database and they were able to access the records of any table. Above screenshot says that hackers got access to olacabs-dev.in. By name, it seems to be a development environment. But I am waiting for the official confirmation.
“Their Application design is very poor and their development server is weakly configured. The hack was a little tricky and involved many steps to get to the database. Once we got to the database it was like winning a lottery. It had all the user details along with credit card transaction history and unused vouchers. The voucher codes are not even out yet. Its obvious that we wont be using credit card details and voucher codes. We dropped them a mail but no response from their side as of now. You can see the snapshots in the links given below. I am sure OLA might be having a security team of their own. Not that good it seems 😉 ,” hackers posted in Reddit.
We have contacted company but they are yet to confirm anything officially. Ola has promised to come with a public statement in few hours. But a person of the company confirmed the hack but he also added that customers data and CC details are safe. He also said the same thing which I suspected. Hackers accessed olacabs-dev.in whch is a development enviroment and not linked with actual running services. So, original customers detail are safe.
We have to wait for few more hours to get official statement on this incident.
Update: Official statement is now here:
There has been no security lapse, whatsoever to any user data. The alleged hack seems to have been performed on a staging environment when exposed for one of our test runs. The staging environment is on a completely different network compared to our production environment, and only has dummy user values exclusively used for internal testing purposes. We confirm that there has been no attempt by the hackers to reach out to us in this regard. Security and privacy of customer data is paramount to us at Ola.
In past, Shubham Paramhans, a tech enthusiast also hacked Ola Wallet, and earned free wallet cash. He also said, “Breaching Ola was one of the easiest kind of hacks possible.” Now this new hack again confirms that there is a serious problem with the security team of Ola
