Durex India spilled customers’ private order data

Durex India, the Indian subsidiary of the British condom and personal lubricants brand, has exposed its customers’ personal information, including their full names and order details.

Security researcher Sourajeet Majumder contacted TechCrunch this week about the issue of exposing sensitive customer data on the condom maker’s website.

The brand’s website spilled customer names, phone numbers, email addresses, shipping addresses, the products ordered and the amount paid. The exact number of affected customers is not known. However, the researcher found evidence that hundreds of people had information exposed because of a lack of proper authentication on its order confirmation page.

“For a brand dealing with intimate products, ensuring privacy is crucial,” Majumder told TechCrunch.

TechCrunch verified Majumder’s findings and found that customer order details were still accessible online at the time of writing. As such, TechCrunch is withholding certain details about the exposure as to not aid malicious actors.

When reached by TechCrunch prior to publication about the exposed customer information, Ravi Bhatnagar, a spokesperson for Durex parent company Reckitt, declined to comment or say if the company plans to secure its customers’ information.

The researcher told TechCrunch that the data could be exploited for identity theft, and contact details may result in unwanted harassment. Majumder said that he also contacted India’s Computer Emergency Response Team (CERT-In) about the security lapse, which acknowledged his email.

“Affected customers can also become victims of social harassment or moral policing because of this leak,” the researcher said.