Durex India, the Indian subsidiary of the British condom and personal lubricant brand, has published personal information of customers, including their names and order details.
Security researcher Sourajeet Majumder contacted TechCrunch this week about a condom manufacturer's website leaking sensitive customer data.
The brand's website exposed customer names, phone numbers, email addresses, delivery addresses, products ordered, and amounts paid. The exact number of customers affected is unclear, but researchers found evidence that hundreds of people's information was exposed due to a lack of proper authentication on the order confirmation page.
“Privacy is crucial for intimate goods brands,” Majumdar told TechCrunch.
TechCrunch has verified Majumder's findings and found that customer order details were still accessible online at the time of writing, which is why TechCrunch is withholding specific details about the breach to avoid aiding bad actors.
TechCrunch reached out to Reckitt about the breach ahead of its publication, but Ravi Bhatnagar, a spokesman for Durex's parent company, Reckitt, declined to comment on whether the company had plans to protect customer information.
The researcher told TechCrunch that the data could be used for identity theft, and that the contact details could lead to unwanted harassment.Majumdar said he had also contacted the Computer Emergency Response Team of India (CERT-In) about the security flaw, who acknowledged the existence of his emails.
“The leak may also expose affected customers to social harassment and moral policing,” the researchers said.