We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Report: Popular Indian Parenting Brand Exposes 100,000s of Families to Cybercrime

vpnMentor Research Team Cybersecurity and Research Lab

Led by Noam Rotem, vpnMentor’s research team discovered a data breach belonging to popular Indian parenting and e-commerce brand BabyChakra.

Based on our research, BabyChakra was storing over 5 million files from its customers entirely out in the open, exposing 100,000s of families across India to fraud, theft, and much worse.

This data breach represents a massive lapse in security by the company. By not protecting its customers’ data, BabyChakra endangered their financial and personal well-being, making them vulnerable to a host of dangers online and in real life.

Data Breach Summary

Company BabyChakra
Headquarters Mumbai, India
Industry Parenting, e-commerce
Size of data 259 GB
No. of files 5,553,744
No. of people exposed Unknown, due to the large number of duplicate files. Potentially millions. At least 100,000s.
Date range/timeline 2015 - pres.
Geographical scope India
Types of data exposed Photos; financial documents; PII data
Potential impact Fraud, phishing, malware; theft; child endangerment
Data storage format Misconfigured AWS S3 bucket

Company Profile

Founded in 2015 by Naiyya Saggi, BabyChakra is India’s biggest online pregnancy and parenting platform. The company offers a wide range of products and services covering the first stages of pregnancy up to early childhood.

BabyChakra’s mix of physical and digital products includes nutritional guidance, nanny agencies, party planners, photography services, and much more.

Timeline of Discovery and Owner Reaction

  • Date discovered: 4th February 2021
  • Date vendors contacted: 9th February 2021
  • Date of 2nd contact attempt: 17th March 2021
  • Date Amazon Contacted: 17th March 2021
  • Date of Response: - 
  • Date of Action: by the 26th April 2021

Sometimes, the extent of a data breach and the data’s owner are obvious, and the issue is quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what’s at stake or who’s exposing the data.

Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.

Some affected parties deny the facts, disregarding our research or playing down its impact. So, we need to be thorough and make sure everything we find is correct and accurate.

In this case, our team discovered an unsecured Amazon Web Services S3 bucket account storing over 5.5 million files. We quickly identified BabyChakra as the most likely owner and verified our findings. Once we had confirmed BabyChakra owned the bucket and its data, we immediately reached out to the company.

At the time of writing, we have not received a reply from the company, despite contacting it several times. The bucket was found secured by the 26th April 2021.

Example of Entries in the S3 Bucket

In total, over 5.5 million files were left publicly accessible. While it’s difficult to confirm exactly how many people were exposed in the data breach, we estimate that the S3 bucket contained private data from at least a few hundred thousand individuals. In reality, the total number could be in the millions - but only BabyChakra has access to that information.

To determine precisely how many people were exposed, we would have needed to download all the data, but for ethical reasons, we chose not to.

User-Uploaded Photos and Videos

The majority of files exposed in the data breach were millions of photos and videos uploaded to BabyChakra’s website database by customers and the company itself. The photos contained incredibly sensitive subjects: children, families, medical test results, and medical prescriptions.

While BabyChakra customers voluntarily uploaded these photos, they would have done so expecting that the images would be protected and kept private. Instead, BabyChakra stored everyone’s photos together and left them publicly accessible online.

The following images are a small sample of the photos our team discovered, redacted for privacy purposes:

Babychakra data leak

Babychakra data leak

Babychakra data leak

Invoices, Package, and Postage Slips

Aside from user photos and videos, BabyChakra was also using the unsecured S3 bucket to store 35,120 invoices and 19,800 packaging slips from the purchases made on its website.

Combined, these exposed the Personally Identifiable Information (PII) data of over 55,000 people across India, including minors:

  • Full names
  • Phone numbers
  • Home addresses
  • Purchased items details (including prices, quantity, etc.)
  • Much more

Babychakra data leak

Babychakra data leak

Users Data Dump

Finally, the remainder of the files on BabyChakra’s S3 Bucket consisted of a massive ‘data dump’: 132,000+ records relating to its customers, obtained from a wide range of sources.

Each record contained additional data from individuals and families across India, including:

  • Names
  • Surnames
  • Mobile phone numbers
  • Children's birthdates

Based on the data being recorded, it also appears that BabyChakra may have been scraping certain data points or acquiring them from third parties, such as personal phone numbers, from customers’ Facebook profiles.

Babychakra data leak

Data Breach Impact

BabyChakra’s failure to adequately store and secure such a massive amount of data has significant implications for its customers - and the company itself.

Fraud and Identity Theft

Hackers and cybercriminals could use the exposed PII data and contact information in numerous fraudulent activities on BabyChakra and across other platforms:

  • Phishing campaigns
  • Mail fraud
  • Identity theft
  • Malicious software attacks (malware, spyware, etc.)
  • Much more

Each of these criminal schemes could have devastating consequences for 100,000s of families across India.

Physical Theft

Criminals could also use leaked information (such as packaging slips from deliveries accepted with cash payments) to pose as couriers and fraudulently collect payments from BabyChakra customers.

Even worse, they could use large shipments of BabyChakra products to identify wealthy customers purchasing lots of new items from the company. With such information, they could commit highly targeted burglaries and house break-ins targeting these families.

Predatory Activity

BabyChakra’s cloud account contained millions of photos, including many of young children. Unfortunately, this could also attract online predators interested in collecting such photos for personal use.

Impact on BabyChakra

While India doesn’t have robust data protection laws in place, BabyChakra could face numerous issues resulting from this data breach.

Customers who learn their data was leaked to the entire internet may no longer feel comfortable making purchases from BabyChakra. While the company claims to be the #1 parenting brand in India, it’s an incredibly competitive industry, and customers will have plenty of options for switching to rival providers.

At the same time, BabyChakra's competitors could seize the opportunity presented by the data breach and utilize it for aggressive negative marketing campaigns aimed at the company. Additionally, rival firms may take an extra step and leverage the compromised data to specifically target BabyChakra's users through ad and email campaigns, overwhelming them with manipulative messages.

Advice from the Experts

BabyChakra could have easily avoided exposing its customers’ data if it had taken some basic security measures. These include, but are not limited to:

  1. Securing its servers.
  2. Implementing proper access rules.
  3. Never leaving a system that doesn’t require authentication open to the internet.

Any company can replicate the same steps, no matter its size.

For a more in-depth guide on how to protect your business, check out our guide to securing your website and online data from hackers.

Securing an Open S3 Bucket

It’s important to note that open, publicly viewable S3 buckets are not a flaw of AWS. They’re usually the result of an error by the owner of the bucket. Amazon provides detailed instructions to AWS users to help them secure S3 buckets and keep them private.

In the case of BabyChakra, the quickest way to fix this error would be to:

  • Make the bucket private and add authentication protocols.
  • Follow AWS access and authentication best practices.
  • Add more layers of protection to their S3 bucket to further restrict who can access it from every point of entry.

For BabyChakra Customers

If you’re a customer of BabyChakra and are concerned about how this breach might impact you, contact the company directly to determine what steps it's taking to protect your data.

To learn about data vulnerabilities in general, read our complete guide to online privacy.

It shows you the many ways cybercriminals target internet users, and the steps you can take to stay safe.

How and Why We Discovered the Breach

The vpnMentor research team discovered the breach in BabyChakra’s data as part of a vast web mapping project. Our researchers use large-scale web scanners to search for unsecured data stores containing information that shouldn’t be exposed. They then examine each data store for any data being leaked.

Our team was able to access this S3 bucket because it was completely unsecured and unencrypted.

Whenever we find a data breach, we use expert techniques to verify the data’s owner, usually a commercial business.

As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. We reached out to BabyChakra, not only to let them know about the vulnerability but also to suggest ways to make their system secure.

These ethics also mean we carry a responsibility to the public. BabyChakra users must be aware of a data breach that exposes so much of their sensitive data.

The purpose of this web mapping project is to help make the internet safer for all users.

We have no evidence - and no way of knowing - whether the data in our reports have been accessed or leaked by anyone else; only the database owner can understand that.

We do our best to prevent this from happening by reaching out to the companies and ensuring they secure their leaking database as soon as possible.

We never sell, store, or expose any information we encounter during our security research.

About Us and Previous Reports

vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.

Our ethical security research team has discovered and disclosed some of the most impactful data breaches in recent years.

This has included an enormous data breach exposing health data from millions of Indian COVID-19 patients. We also revealed that a popular Shopify app was leaking private data belonging to 10,000s of online shoppers worldwide. You may also want to read our VPN Leak Report and Data Privacy Stats Report.

Help Us Protect The Internet!

Introducing The Leak Box

The Leak Box is hosted on the Dark Web and allows ethical hackers to anonymously report any data breach they find online. Alternatively, anyone can submit a breach here on vpnMentor, any time, from anywhere, without compromising your privacy.

Check the Leak Box here >>

We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 to review VPN services and cover privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

About the Author

vpnMentor Research Lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.
Our ethical security research team has discovered and disclosed some of the most impactful data breaches in recent years.

Did you like this article? Rate it!
I hated it! I don't really like it It was ok Pretty good! Loved it!
out of 10 - Voted by users
Thank you for your feedback

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address

Thanks for submitting a comment, %%name%%!

We check all comments within 48 hours to ensure they're real and not offensive. Feel free to share this article in the meantime.