An event ticketing and payment app popular with university students across Asia and backed by the venture capital arm of Singapore state investment firm Temasek has suffered a second data breach, potentially exposing the personal details of more than 30,000 users in the city-state.
Get, which allows campus clubs and societies to list their social events and sell tickets, repaired the flaw after it was discovered earlier this month, a cybersecurity expert said, but it had yet to notify the users whose information may have been leaked.
Nandakishore Harikumar, CEO of Technisanct Technologies, which is based in Kochi, India, looked into a Reddit user's comment earlier this month that said he had bought a ticket for a campus event through Get and was eventually able to access a list of other users' names and details.
The user, who only wanted to be known by his Reddit username Babysharkvic_au, said he was studying machine learning in Australia. He found that by manipulating Get's application programming interface (API) - the code that allows two applications to talk to each other - through doing searches with the names of campus events misspelt, he could access users' names, phone numbers, email addresses, dates of birth, and even home addresses.
"I can confirm there was a breach," Nandakishore said, adding that Get had now revoked access to the API and SQL, or Structured Query Language, which is computer language used to retrieve data from a database.
The Reddit user said he had emailed Singapore-based Get when he discovered the breach on September 5 but had not heard back. There was no notice on Get's website about the issue and five students interviewed said they had not received any notification.
Nandakishore said: "Many organisations are little aware of the basic security practices to be followed. They need to inform individual users to change their password."
But he added that he had not found any of the data being offered for sale on the dark web or other platforms.
Get, which secured US$2.5 million (S$3.5 million) in funding from Temasek's venture capital arm Vertex Ventures, suffered a first data breach in May 2017 before the firm changed its name from QNect. It is popular in a number of countries and territories including Hong Kong and Australia.
The first breach saw users receive threatening text messages from a hacking group saying their data would be published online, according to Australian media. But the co-founder of the then Sydney-based start-up, Daniel Liang, brushed off the threats, saying hackers possessed no financial information.
Reddit user Babysharkvic_au this month said he had been able to access the personal details of about 30,000 students from Singapore.
He warned users in a Reddit post on Wednesday that they could have been exposed.
"Their lack of a response is a concern, especially since this isn't the first time they have been hacked," Babysharkvic_au said.
Among gatherings listed on the app are a venture capital event by Singapore Management University, an arts fiesta by Singapore Polytechnic and a contemporary dance show at Ngee Ann Polytechnic.
Singaporeans using Get expressed concern when told about the breach.
A student who gave her name as Chua said she would be warier when using it.
"I trust that the developer should have built a system resilient enough to protect data," she said.
She had bought a ticket to a salsa dance performance.
Bertrand Ong, a 26-year-old assistant brand manager, said he was more worried his credit card information might be disclosed.
"I have used the app a couple of times to buy tickets for social events, and I did not expect my personal information could be used by others," he said.
The company should have informed users of the breach, Ong added.
Get did not immediately respond to requests for comment.
Nandakishore said the data breach could have been averted had the company put in place "basic security measures".
"There are many solutions that offer API security … Basic audits need to be done on a regular basis to ensure both these parts are taken care of," he said.
Anwitaman Datta, an associate professor at Nanyang Technological University, warned that obtaining users' personal details was akin to hackers finding a "treasure trove".
"Information nicely organised and linked to each other is a treasure trove for attackers since they can use this to personalise any targeted attack on a person, and do so at scale," said Datta, who is also part of the university's Cyber Security Research Centre.
For example, a hacker would know which particular email address or phone number to target for a phishing attack using a "special birthday offer", he said.
"Personalised attacks take many forms: befriending the target first or blackmailing the target somehow by giving the false impression that the attacker knows certain things about the victim using the kind of information the attacker gets access to because of the data breach."
Nandakishore said users needed to be more aware of the implications of placing their details online.
"It's always a user's choice," he said. "Companies holding private data, whether it's a single name or password, are always liable for securing such information."
Datta added that while it was inevitable that users would leave a trail of personal information on social media, they could avoid being hacked by not responding to unsolicited emails or phone calls from unknown sources.
"Most attacks, while highly personalised, are not really targeted persistently on an individual basis. So staying off the attackers' radar by simply not responding is the simplest defence that will work against a wide range of such attacks."
This article was first published in South China Morning Post.