Thousands of Mobike users' passports and IDs exposed online

·3-min read

A massive trove of more than 120,000 passports, drivers licenses and identity documents uploaded by users of bike-sharing service Mobike have been found online.

Security researcher Bob Diachenko found the data in an unprotected Amazon-hosted storage bucket on February 11 and passed details to TechCrunch in an effort to get the data secured. The bucket's name suggests it belonged to Mobike, a once-promising bike-sharing operator founded in China. Anyone who knew the easily guessable bucket name could browse the trove of passports and identity documents, dating back to 2017 and growing in size every day, from their web browser.

The bucket stored identity documents that users have to upload before they can use Mobike. The bucket also contained 94,000 customer selfies and 49,000 customer signatures for user identity verification. Almost all of the identity documents were for users in Latin America, including Argentina and Brazil. But none of the data was encrypted.

Founded in 2015 in Beijing, Mobike has changed hands several times. It was once hailed as a bike-sharing pioneer in China, a booming startup that took in billions of investment capital before being snapped up by Chinese on-demand services giant Meituan for $2.7 billion in 2018. Mobike's China-based operation was later rebranded to Meituan Bike.

Mobike had international ambitions but fell on hard times. It was bleeding hundreds of million dollars in the months after its acquisition by Meituan, which later decided to divest Mobike's international business in a bid to cut costs. The plan was to shut down Mobike in Southeast Asia but keep it running in Northeast Asia, Latin America and Europe through local partners.

But when contacted about the security lapse, nobody seemed to want to take ownership — or responsibility — for the exposed data.

When reached by TechCrunch, Meituan spokesperson Xiang Xi said the company had "nothing to do with the matter" since it had sold Mobike's Latin America business in August 2019 but declined to say who acquired the company citing a non-disclosure agreement, making it considerably more difficult to know exactly who to contact about the exposed customer data.

Many of the files in the exposed bucket, however, predate August 2019 when Meituan supposedly still held ownership in Mobike.

TechCrunch contacted a number of public and private email addresses known to be associated with Mobike. Many emails were unreturned, while others bounced back with an error message saying our emails could not be delivered. Multiple messages containing the exposed bucket's web address were sent to a Mobike customer support number on WhatsApp but were not responded to.

By the end of May, the bucket had been secured. It's still not clear exactly who secured the bucket.

It's also not known how long the bucket was exposed — or even how the contents of the bucket became public to begin with. Because Amazon's storage buckets are private by default, someone with control of the buckets must have changed its permissions to allow public access.

At the time of writing, Mobike has made no statement on its website or any of its social media profiles — which haven't posted since 2019 — about the security incident.