German broadcaster Bayerischer Rundfunk reported last week that unencrypted oBike user data – names and ride locations, for example – were accessible online.
A spokesman for the Singapore-based firm said it was made aware of the issue two weeks ago, and worked quickly to resolve it immediately. He added that it affected only a handful of users.
“As (we are) a tech company, users’ data and security are of paramount importance to us,” he said, adding that credit card details and user passwords were not stored in the app and were not leaked.
The leak resulted from a gap in the oBike app’s application programming interface (API) that allowed users to refer their friends to the firm’s services.
“We have since fixed the loophole by disabling the API and created additional security layers,” the spokesman said, adding that the systems were now fully restored and secure.
“We are relooking the sharing and security functions of the app, to ensure that no further user data is compromised.”
When contacted, the Personal Data Protection Commission said it was aware of the data breach and had reached out to oBike for more details.
oBike rolled out its bicycles in Singapore in January and has since expanded to other cities worldwide such as Melbourne and London.
In response, rival bike-sharing firm ofo said it “does not collect, process or access any individual user data or information in (its) work” and instead uses only accumulated rider information for data analysis purposes.
A spokesman for Mobike said it had “robust data management protocols” in place to protect user data, adding that it did not share users’ personal data with third parties without their consent.
The news of oBike’s user data leak comes after it was revealed last month that ride-hailing giant Uber had covered up a data breach in 2016. The breach exposed the personal details of 57 million passengers and drivers worldwide to hackers.
The American ride-hailing giant had not informed the authorities about the attack, and instead paid hackers US$100,000 (S$135,000) to delete the compromised data.
Closer to home, the NRIC numbers of hundreds of Xinmin Secondary School students were leaked online last month.
“The sad reality is that this kind of incident is getting more common,” said Mr David Maciejak, security research director for cyber-security provider Fortinet.
He said people should take steps to protect their own data, such as by using a virtual credit card, which provides users with a disposable credit card number.
Akamai Technologies security chief technology officer Michael Smith warned people against reusing passwords across multiple websites and applications.
He suggested the use of password manager applications such as LastPass instead. LastPass creates a private account where users can store encrypted passwords.
Observers said the increasing use of APIs – which allow various software components to communicate – means they are especially vulnerable to attack.
Though the use of APIs is becoming more important, there is less knowledge and history on how to secure them, said Mr Smith.
“Over the past several years, we’ve seen attackers target APIs more frequently because they are perceived as being less protected than websites that are accessed with a browser,” he added.
Mr Edward Lim, South-east Asia and Greater China senior director for security firm RSA, said there needs to be more stringent testing for APIs.
“For example, firms could incorporate vulnerability assessment at every major stage of the API development, instead of only upon completion of the apps.”
Mr Mohan Veloo, Asia-Pacific chief technology officer for network security firm F5 Networks, said APIs should be vetted to ensure that they do not give third parties an unnecessary level of authorisation rights and privileges that could be exploited by hackers.
He described the use of APIs as a double-edged sword for companies.
“By using APIs, businesses inadvertently open up a back door to all their data.”