App for motorbike lovers reveals user plates, home addresses


Moto.app, an Italy-focused service for motorcycle enthusiasts, has exposed thousands of users, leaking their names, personal tax IDs, and other private details.

While bikers are no strangers to thrill-seeking, risking their privacy is hardly the reason they choose to mount their steel horses. However, the Cybernews research team has discovered that thousands of moto-heads had their personal details exposed.

On May 21st, our team found two publicly accessible Microsoft Azure Blob instances owned by Moto.app, a popular biker-dedicated app. The exposed storage buckets contained over 211,000 pdf files with personal user details.

ADVERTISEMENT

Moto.app is a digital platform that connects motorcyclists in Italy with maintenance services, ride planning, community features, and a marketplace. The app has over 100,000 downloads on the Google Play store.

According to the team, the exposed Moto.app user details include:

  • Names and surnames
  • Home addresses
  • Motorcycle plate numbers
  • Italian personal tax ID codes

The platform’s owners took down the buckets on May 27th, and the data is no longer accessible to the public. We have reached out to Moto.app and its owner B2C Innovation for an official statement but did not receive a reply before publishing.

Perils of the Moto.app data leak

Malicious actors can use the exposed user details for nefarious purposes, such as identity theft and impersonation. For example, attackers could combine the leaked names, addresses and the Codice Fiscale, the personal code for Italians, to access user personal accounts.

“While the Codice Fiscale does not disclose detailed personal information on its own, it’s a key that can unlock access to official databases containing extensive personal, financial, and health information. Unauthorized access or misuse of this code can lead to identity theft, fraud, and privacy violations,” the team said.

Attackers could use the personal tax code to file fraudulent tax returns, claim benefits, try opening bank accounts, obtain credit cards, or apply for loans.

ADVERTISEMENT

The team believes that the Moto.app data leak could be a gold mine for thieves. By coupling home addresses with detailed information on motorcycle brands and models, crooks could target high-value or easily resalable vehicles.

“Moreover, criminals could use leaked plate numbers to create fake ones, which can then be utilized on stolen motorcycles or in other illegal activities, causing legal issues for the legitimate owners,” the team said.

Data exposure may also lead to Doxxing, a practice of disclosing or publishing personal information about a person without that person's permission. Motivation for such practice ranges from personal grievances to monetary gain.

“Malicious-minded individuals may use this information for doxxing, where private information about an individual is leaked to others, violating that person's privacy. The consequences could involve specific illegal activity that is made easier by knowing exactly where the person lives, such as theft, burglary, or physical incursion.,” researchers said.

To secure the data and avoid similar incidents in the future, researchers advise to:

  • Restrict access: Immediately change the access permissions of the affected storage bucket to private. Ensure that only authorized personnel have access.
  • Revoke Shared Access Signatures (SAS): If the data was shared using SAS tokens, revoke those tokens immediately to prevent further unauthorized access.
  • Retrospective audit logs: Check the Azure Activity Log and Storage Analytics logs to identify when the data exposure started, what data was accessed, and by whom.
  • Review access controls: Reevaluate and tighten access controls and permissions on all storage buckets.
  • Implement encryption: Ensure that data at rest and in transit is encrypted.