CarDekho Gaadi Store, Glofox and others fall victim of data leaks.
09 January 2022BREACHAWARE HQ
A total of 19 breach events
were found and analysed resulting in 14,533,632 exposed accounts
containing a total of 13 different data types of personal datum
. The breaches found publicly and freely available included CarDekho Gaadi Store, Glofox, i-Dressup, Farma Delivery and New Meet. Sign in to view the full
library of breach events which includes, where available, reference articles relating to
each breach.
Categories of Personal Data Discovered
Contact Data, Technical Data, Socia-Demographic Data, Locational Data, Financial Data, Usage Data, Social Relationships Data.
Data Breach Analysis
The publicly accessible data sets linked to these breaches originated from a diverse cross-section of industries, spanning automotive resale, fitness technology, youth-focused fashion communities, pharmaceutical delivery, and modern social networking.Each of these services offers tailored functionality to niche user bases, but all operate within the broader landscape of digitized lifestyle services, where convenience, personalisation, and rapid access drive engagement, often at the expense of privacy and robust cybersecurity measures.
Platform Breakdown: Digital Lifestyles and Their Exposure
The breached entities serve a wide range of everyday needs, illustrating how individuals share personal data across a broad spectrum of platforms, often without considering long-term digital implications.CarDekho Gaadi Store operates within India's growing used vehicle marketplace, offering car valuation tools, vehicle listings, and buyer/seller matchmaking. Users may enter:
- Personal contact information
- Vehicle registration numbers
- Loan or financing details
- Driving license-related documents
Because vehicle marketplaces often facilitate offline interactions (e.g., test drives, vehicle inspections), attackers may exploit leaked data to launch localised scams, pose as legitimate buyers/sellers, or attempt identity theft using personal-vehicle registration cross-referencing. The combination of automotive + financial data makes this particularly valuable to malicious actors.
Glofox provides infrastructure for gyms, fitness studios, and personal trainers to manage bookings, memberships, and communications. The risk here stems from:
- Recurring billing information
- Health or wellness preferences
- Physical location data, such as gym check-ins
While the data may not always be overtly sensitive, its exposure can still facilitate social engineering attacks, especially in industries like fitness where community and personal connection are core to brand identity. If a malicious actor gains access to internal Glofox systems or spoofed communications, the result could include fraudulent promotions or phishing campaigns targeting members with “membership updates.”
i-Dressup was a fashion and dress-up game community that catered largely to pre-teens and teenagers, featuring virtual makeovers, profile customisation, and social features.
Breaches involving platforms with a minor user demographic are particularly sensitive. Even if the data seems benign, it can be used in targeted grooming attempts, impersonation scams, or to link seemingly anonymous usernames with real-world identities (especially if usernames are reused across platforms). i-Dressup has faced scrutiny in the past for lax security, this breach reinforces how such platforms remain vulnerable well after their peak popularity.
Farma Delivery, as its name suggests, operates in the delivery of medications and healthcare products. Although not all health platforms are covered under stringent health data regulations like HIPAA (especially outside the U.S.), consumers often assume pharmacy-level discretion when using online medication services. A breach in this domain threatens both privacy and dignity, particularly if purchases reveal personal or stigmatised health concerns. It also opens doors to pharmaceutical scams or offers based on harvested purchase behaviour.
New Meet, inferred to be a platform for meeting new people, whether for friendship, dating, or casual interaction, likely collected:
- Profile data
- Chat transcripts
- Location or preference filters
Breaches in such platforms expose more than account information, they touch on intimate digital footprints, including relationship status, preferences, and patterns of engagement. When such data is leaked, users face risks of harassment, blackmail, or public embarrassment, especially in more conservative cultures where digital dating is still stigmatised.
This set of breaches, while numerically moderate in scope, demonstrates how “non-traditional” platforms, those not primarily seen as tech giants, are increasingly responsible for housing sensitive user data. Users may not think twice about inputting personal information into an appointment scheduler, game, or secondhand car app, yet these platforms are all connected to their broader online identity.
Key patterns include:
Platform diversity, common vulnerability: From social apps to auto marketplaces to health retailers, platforms across sectors are unified by similar data structures and backend vulnerabilities.
Youth and lifestyle platforms at risk: Services like i-Dressup and New Meet cater to emotionally and socially vulnerable groups, children, teens, or people seeking connection, who may not be equipped to deal with fallout from exposure.
Healthcare-lite services in a gray zone: Farma Delivery is emblematic of a fast-growing category of e-commerce platforms offering health-adjacent products but without the infrastructure of regulated pharmacies, making them frequent targets and often lacking the compliance needed to secure user trust.
Risks to Individuals
Users whose data was compromised in this cluster may face the following risks:1. Credential Reuse Attacks: Breaches that expose emails and passwords, even if hashed, become fuel for credential stuffing attempts across other platforms.
2. Phishing and Impersonation: With access to names, habits, and service preferences, attackers can send targeted emails or text messages that appear highly legitimate.
3. Location-Based Targeting: Fitness check-ins, delivery addresses, and regional car listings can all be used to triangulate a user's physical location or lifestyle.
4. Reputation Damage: Particularly for social platforms or youth-focused communities, exposure of usernames and interaction history can lead to online harassment or shaming.
For Platform Owners: The Breach is Bigger Than the Leak
Organisations behind platforms like those listed here must recognise that the risk exposure exceeds the technical breach. Even after the data is removed from public forums or indexed archives, its presence in leak databases ensures that it will continue to surface, in spam, scams, or criminal intelligence.Security investments need to scale not just with user base size, but with data sensitivity and user vulnerability. This means stronger encryption, rapid breach detection, and user notification protocols, even when regulations may not mandate them.
Conclusion
These 19 breaches serve as a reminder that no platform is too small or too niche to be targeted, especially when it collects data tied to real-world identity, behaviour, or emotional engagement. For the over 14 million users affected, the digital trace of their interactions across cars, fitness, pharmacy products, youth fashion, and social discovery now lives on in data marketplaces and dark web indexes.As our digital habits spread across vertical-specific apps and services, cybersecurity hygiene, on both the user and provider sides, becomes paramount. Platforms must treat user data not as a technical byproduct, but as a trust asset, and breach fallout as a reputational liability with long half-life effects.