Durex India, the Indian subsidiary of British condom and personal lubricant brand Durex, has exposed personal information of its customers, including their names and order details.
Security researcher Sorajit Majumder contacted TechCrunch this week to report an issue where sensitive customer data was exposed on a condom manufacturer's website.
The brand’s website leaked customer names, phone numbers, email addresses, shipping addresses, products ordered, and amounts paid. The exact number of customers affected is unknown, but researchers found evidence that hundreds of people’s information was exposed due to a lack of proper authentication on the order confirmation page.
“For brands that deal with personal products, ensuring privacy is important,” Majumder told TechCrunch.
TechCrunch verified Majumder’s findings and found that customer order details were still available online at the time of this writing. As such, TechCrunch is withholding specific details about the exposure to avoid aiding malicious actors.
When contacted by TechCrunch before reporting on the exposed customer information, Ravi Bhatnagar, a spokesperson for Durex parent company Reckitt, declined to comment or reveal whether the company plans to protect customer information.
The researchers told TechCrunch that the data could be used for identity theft, and that contact information could lead to unwanted harassment. Majumder also contacted India’s Computer Emergency Response Team (CERT-In) about the security flaw, which he said acknowledged his emails.
“Customers affected by this breach may become victims of social harassment or moral disciplinary action,” the researchers said.
