Durex’s Indian branch suffered a security breach, resulting in the theft of large amounts of sensitive customer data.
A security researcher named Sourajeet Majumder got in touch. TechCrunch Recently, news broke of a data breach at the company’s Indian operations. He noted that the lack of proper authentication on the order confirmation page of the Durex India website allowed unauthorized users to access customers’ personal information.
The data may include customer name, phone number, email address, shipping address, products ordered, and amount paid.
Verified claims
It’s unclear exactly how many people are affected by this error, but it’s believed to be in the hundreds.
“Privacy is extremely important for an intimate product brand,” Majumdar said.
TechCrunch said it was able to verify the researchers’ claims, and noted that the data is still available and the exploit is still replicable, so details about the error will not be made public until Durex India fixes the issue.
Following this discovery, Majumdar contacted the Computer Emergency Response Team, India (CERT-In), which “verified his emails.”
“As a result of this breach, affected customers may become victims of social harassment and moral policing,” he said, adding that they may also become targets of convincing phishing emails and fraudulent schemes pretending to be from Durex to trick them into downloading malware or divulging payment data.
So far, neither Durex nor its parent company Reckitt have discussed protecting the information, despite questions from this publication. At this point, it’s unclear if any malicious actors have discovered or stolen the data, but given that the news has spread and the bug is reproducible, it’s probably only a matter of time before that happens.
