Durex India, the Indian subsidiary of the British condom and lubricant brand, has disclosed personal information of its customers, including their full names and order details.
Security researcher Sourajeet Majumder contacted TechCrunch this week to discuss the publication of confidential customer data on the condom maker’s website.
Customer names, phone numbers, email addresses, delivery addresses, the products ordered and the amount paid were published on the brand’s website. The exact number of customers affected is unknown, but the researcher found evidence that the information of hundreds of people was exposed because proper authentication was not performed on the order confirmation page.
“For a brand that deals in intimate products, ensuring privacy is critical,” Majumder told TechCrunch.
TechCrunch reviewed Majumder’s findings and found that the customer’s order data was still accessible online at the time of writing. For this reason, TechCrunch is withholding certain details about the disclosure to avoid aiding malicious actors.
When contacted by TechCrunch before the information about the exposed customer data was published, Ravi Bhatnagar, a spokesman for Durex parent company Reckitt, declined to comment or say whether the company plans to protect its customers’ information.
The researcher told TechCrunch that the data could be misused for identity theft and contact details could lead to unwanted harassment. Majumder said he also contacted India’s Computer Emergency Response Team (CERT-In) about the vulnerability, which confirmed his email.
“Affected customers may also become victims of social harassment or moral surveillance due to this leak,” the researcher said.