Full Report
In May 2025, the South American mobility services platform Ualabee had hundreds of thousands of records scraped from an interface on their platform. The data included 472k unique email addresses along with names, profile photos, dates of birth and phone numbers.
Analysis Summary
# Incident Report: Ualabee Data Scraping Incident
## Executive Summary
In May 2025, the South American mobility services platform Ualabee experienced a data scraping incident resulting in the exposure of data belonging to approximately 472,300 users. The compromise occurred via an interface on their platform, leading to the exfiltration of personal identifiable information (PII). Response efforts focused on advising users to change passwords and enable multi-factor authentication.
## Incident Details
- Discovery Date: June 13, 2025 (Date added to HIBP)
- Incident Date: May 2025
- Affected Organization: Ualabee
- Sector: Mobility Services/Technology
- Geography: South America
## Timeline of Events
### Initial Access
- Date/Time: May 2025 (Approximate)
- Vector: Vulnerable interface on the Ualabee platform.
- Details: Attackers utilized an interface to scrape data from the platform.
### Lateral Movement
- *Not explicitly detailed in source material; access appears limited to data scraping via an interface.*
### Data Exfiltration/Impact
- Date/Time: May 2025
- Details: Exposure of 472,300 unique records, including names, email addresses, profile photos, dates of birth, and phone numbers.
### Detection & Response
- Detection: Incident became public knowledge when data was added to Have I Been Pwned on June 13, 2025.
- Response actions taken: Recommendation that affected users change their passwords and enable Two-Factor Authentication (2FA).
## Attack Methodology
Given the description, this appears to be a data scraping incident targeting a publicly accessible or exploitable platform interface, rather than a complex intrusion:
- Initial Access: Exploitation of a platform interface (potential API exposure or insecure direct object reference).
- Persistence: Not applicable/Not detailed.
- Privilege Escalation: Not applicable/Not detailed.
- Defense Evasion: Not applicable/Not detailed, likely leveraged existing access pathways.
- Credential Access: Not applicable/Not detailed (data was scraped, not explicitly credential material stolen).
- Discovery: Direct interaction with the interface to locate and extract PII.
- Lateral Movement: Not applicable/Not detailed.
- Collection: Bulk downloading of user PII records.
- Exfiltration: Implied large-scale data transfer post-collection.
- Impact: Data exposure/scraping.
## Impact Assessment
- Financial: Not disclosed.
- Data Breach: PII exposure (472.3K records). Data types include: Names, Email Addresses, Profile Photos, Dates of Birth, and Phone Numbers.
- Operational: Not disclosed, but likely minor internal disruption compared to a full network breach.
- Reputational: Negative publicity resulting from data exposure publicized via HIBP.
## Indicators of Compromise
*As the incident description does not detail specific network connections or file changes, IoCs are limited to behavioral context:*
- Network indicators: Unknown/Not disclosed.
- File indicators: Unknown/Not disclosed.
- Behavioral indicators: Mass data retrieval via platform interface in May 2025.
## Response Actions
- Containment: Implied remediation of the vulnerable interface was necessary after discovery or initial reporting.
- Eradication: Not specified, presumed focused on interface hardening.
- Recovery actions: Advising affected users to update security posture ($\text{Change Password}$, Enable $\text{2FA}$).
## Lessons Learned
- Interface Security: Unrestricted access to data interfaces (APIs or web endpoints) poses a significant risk for mass data scraping.
- Data Minimization: Reviewing what PII (especially DOB and profile photos) associated with user accounts needs to be publicly accessible or easily scraped.
## Recommendations
- Conduct thorough security audits of all platform interfaces and APIs to ensure proper authorization controls (rate limiting, authentication checks) are enforced to prevent bulk data scraping.
- Implement stronger data access controls to restrict non-essential PII from being retrieved in bulk queries.
- Mandate and promote Two-Factor Authentication adoption for all user accounts.