Date:
August 29, 2024
Durex, the company known for making intimate products, has come into the spotlight for an alleged breach that exposed sensitive customer data.
Durex India is one of the most popular brands for intimate wellness and hygiene. However, the nature of the company's products makes its purchase discretion a must. A security researcher, Sourajeet Majumder, recently found security issues on Durex India’s website that exposed sensitive information about its consumers to the public.
Durex's website has allegedly spilled critical customer data, including contact name, phone number, email address, shipping address, order history, and transaction records. This information can collectively provide insider data to bad actors for conducting extortion scams, social harassment scenarios, and much more. The exact count of exposed customer accounts is unclear as the company has not responded to the comment requests of any public media house.
The main reason behind the leak of personal information stems from the lack of a secure authentication process on the order confirmation page. Sourajeet reverse-engineered the page to discover loads of evidence of exposure. There is no clarity either by the company or any legal authority on the issue, which keeps the total number of victims in the dark.
“For a brand dealing with intimate products, ensuring privacy is crucial,” Majumder told a tech media house. The media house then investigated independently to find out the same result. The verification team found customer order details still visible on the platform but kept them confidential to prevent bad actors from harming them in any way.
Being an intimate products brand with a global presence as one of the top condom-makers, Durex should have had a better protection layer for its customers. This security inadequacy also puts the security protocols of Durex’s global and country-wide websites under scrutiny and skepticism. The researcher has already contacted the Indian Computer Emergency Response Team (CERT-In) about the risk of the potential breach, and appropriate action will be commenced soon.
