Mumbai-based podcast and audiobook platform KukuFM has left a Kibana instance publicly accessible, exposing personal data from more than 38 million users.
The breach was discovered by Cybernews researchers, who noted that the leaked data includes sensitive information such as email addresses, phone numbers, and profile pictures, posing significant privacy risks.
A Kibana instance refers to a deployment of Kibana, an open-source data visualization and exploration tool. Kibana is commonly used in combination with Elasticsearch, a search and analytics engine, as part of the Elastic Stack (also known as ELK Stack, which includes Elasticsearch, Logstash, and Kibana). This stack helps organizations to search, analyze, and visualize large sets of data in real time.
In the KukuFM case, the Kibana instance was misconfigured, meaning it was publicly accessible without proper security controls like passwords or firewalls. This allowed unauthorized users to access sensitive information stored in the associated Elasticsearch database. When Kibana isn’t secured properly, it can expose vast amounts of data to the internet, as was the case here, where over 38 million user records were exposed.
KukuFM, founded in 2018, is one of India’s leading platforms for audio content, specializing in podcasts and audiobooks in Hindi and Marathi. With over 50 million app downloads, the platform’s popularity makes this breach particularly concerning. Misconfigured access controls on the Kibana instance allowed public access to this user data, which was indexed on Internet of Things (IoT) search engines frequently used by cyber attackers.
Researchers first reported the issue to KukuFM on June 25, and though the company initially responded by opening a support ticket, the problem persisted, with the public exposure continuing until at least September 20. During this time, an additional nine million user records were added to the breach.
The exposed data increases the risk of phishing attacks, identity theft, and other malicious activities. Cybernews urged KukuFM to immediately secure the Kibana instance and conduct a thorough security audit to prevent future incidents.
Kuku FM said it has resolved the issue, adding that no payment or login data was exposed.
“The vulnerability has now been resolved, and no sensitive data such as payment information, login credentials, or other secure information was exposed. Transparency is a core value at Kuku FM, and we are committed to keeping everyone informed as we continue auditing our technology infrastructure and processes to prevent future incidents,” Kuku FM said.
The incident raises serious concerns about KukuFM’s data protection practices and highlights the broader challenges of securing sensitive information in the rapidly growing digital content industry.
Baburajan Kizhakedath
