Popular podcast platform leaks data of tens of millions of its customers


One of India’s most popular podcast and audiobook platforms, KukuFM, left a publicly accessible instance and exposed more people than the entire population of Poland. Worryingly, even after the company was notified, it took no steps to secure the data.

Mumbai-headquartered KukuFM left an open Kibana instance exposing over 38 million of the platform’s users, the Cybernews research team has discovered.

Organizations use Kibana, a popular online tool, for searching, visualizing, and analyzing stored data. In this case, the data stored on the instance involved user email addresses, phone numbers, and profile pictures, all of which were exposed.

ADVERTISEMENT

“The exposure of personal information poses significant privacy and security risks to the affected users, as data can be misused for phishing attacks, identity theft, fraud, and other malicious activities. The breach can severely impact the reputation of KukuFM, undermining user trust and raising concerns about the company's data protection practices,” our researchers noted.

After discovering the exposed instance on June 25th, the team contacted KuKuFM about the issue. On the same day, researchers received an auto-response, saying that the support team had opened a ticket to resolve the issue. The ticket was closed on August 8th, indicating that the problem had been fixed.

KukuFM data sample
Sample of the leaked data. Image by Cybernews.

However, as late as September 20th, the same Kibana instance was still open to the public, continuing to leak KukuFM’s user data. When the team first discovered the instance, 29 million records were exposed. Meanwhile, at the time of writing, the instance held 38 million records, which means that another nine million users had their data exposed over the same time period.

The open instance was indexed on the Internet of Things (IoT) search engine, which attackers often use to scour the web for easily accessible data. The team believes that, as often happens, misconfiguration of the instance led to a lack of proper access controls, resulting in user data becoming accessible to the public.

On September 25 KukuFM responded, saying that the issue has been resolved, adding that no payment or login data was exposed.

“The vulnerability has now been resolved, and no sensitive data such as payment information, login credentials, or other secure information was exposed. Transparency is a core value at Kuku FM, and we are committed to keeping everyone informed as we continue auditing our technology infrastructure and processes to prevent future incidents,” KukuFM said.

Our researchers urged KukuFM to address the misconfiguration and secure the exposed data as soon as possible. Key steps to address the issue could include:

ADVERTISEMENT
  • Securing the exposed Kibana ELK with proper access controls
  • Conducting a thorough security audit to identify and rectify any other potential vulnerabilities
  • Implementing regular security monitoring and incident response protocols
  • Educating employees about data security best practices to prevent future breaches

Established in 2018, KukuFM specializes in audio content delivery. The platform delivers podcasts, audiobooks, talk shows, and other types of content, mostly in Hindi and Marathi. The platform has tens of millions of users, with its app having over 50 million downloads on the Google Play store.

Updated on September 26th [07:54 a.m. GMT] with a statement from KukuFM.