Privacy of 50,000 'Get' Users Compromised Amidst a Data Breach

In May 2017, a ticketing platform by the name of Qnect made the news for all the wrong reasons. Qnect's userbase was mostly comprised of Australian students who suddenly started receiving some strange unsolicited SMSs. The texts were reportedly sent by hackers who had broken into Qnect's systems and had stolen the data of some of its users. The messages said that unless a ransom is paid, the data would be made publicly accessible, and the users were urged to persuade Qnect's management to cough up the bitcoins.

It's unclear how the whole story unfolded. What we do know is that Qnect is now called Get. We also know that the privacy of its users is once again under threat.

A student discovers a major Get data breach by accident

A student at the University of New South Wales was trying to use Get's services when he discovered that thanks to an insecure implementation of some APIs, the personal information of around 50 thousand people (or a third of Get's entire userbase) can be obtained with terrifying ease. The student in question used his Reddit account to share the story with everyone, and he started off by saying that he is currently doing undergraduate research on companies that have experienced data breaches. The discovery wasn't made during his research, though.

What he was trying to do was find a Get society on the platform's website. As luck would have it, he mistyped the name of the society, and the results that appeared looked rather interesting. The typo meant that instead of useful information that should be publicly accessible, he was looking at the personal data of students who had used Get. He then entered the names of one of his friends into the search engine, and he was shocked to find out that Get was freely revealing its users' personal details.

The student then used his expertise to take a closer look, and he quickly realized that there were "a range of" poor practices. Obviously, the biggest problem lied with the fact that the search service was spilling out personal information, and as if that wasn't enough, it didn't require any tokens to do so, meaning that anyone, regardless of whether or not they have a Get account, could use it.

Somebody has apparently been poking through the exposed data

According to the student who discovered the data breach, there is "copious evidence" of SQL injection attacks on this particular section of Get's infrastructure. He seems pretty convinced that someone managed to get their hands on the exposed information before him. This means that the nature of the leaked data is all the more important.

Thankfully, all payments are processed by a third-party processor which means that financial details haven't been exposed. There is no evidence of leaked passwords, either, which is also good news.

The details that did get out during the breach include names, Facebook IDs, birthdays, and phone numbers. Indeed, it's not the most sensitive leak, but Get users should still be on the lookout for scam calls, texts similar to the ones they were receiving about two and a half years ago, and phishing emails.

Get’s response

The student who discovered the breach said that prior to sharing his findings with Reddit, he tried to get hold of someone at Get and responsibly disclose the problem. Apparently, he didn't get an answer. Get's story, however, is a bit different.

According to it, Get's IT people first heard about the problem on September 6, when "a number of organizations" told them that their systems might be vulnerable. On Saturday, the insecure API calls were tokenized, and since then, the team has been hard at work trying to investigate what went wrong and why.

Get has been issuing daily updates that unfortunately haven't provided much in the way of additional information. The platform doesn't seem especially keen on discussing the evidence of previous attacks mentioned by the student who discovered the breach, and it won't say anything about another vulnerability discussed in the same Reddit thread.

All in all, we have a he-said-she-said scenario, which means that it's not very easy to judge how well Get reacted to the whole thing. One thing that nobody is willing to argue about, however, is that the same company (albeit under a different name) has recorded two data breach incidents in just as many years. And this is definitely not making for a good look.