Shipyaari, a Mumbai-based software company that offers shipping logistics to major consumer brands, exposed the personal data of thousands of its customers because of a months-long spill of its internal shipment information.
The exposed data, discovered by security researcher Ashutosh Barot, included Shipyaari customers’ names, addresses, phone numbers, order invoice amounts and delivery status. According to Barot, Shipyaari’s client tracking page was not password protected and could be viewed by anyone who had the web address.
“The exposed information could later be used to perform targeted social engineering attacks and financial frauds,” Barot told TechCrunch.
The researcher initially contacted Shipyaari about the exposure in October 2021 and the company promised a fix in December. Some changes were made, but did not fix the exposure. It was eventually fixed in late July after TechCrunch reached out about the security incident.
“I appreciate Shipyaari for fixing the issue and implementing recommendations,” Barot said.
Shipyaari fixed the exposure by removing customers’ personally identifiable information (PII) from the tracking page and restricted its access with a one-time PIN (OTP) system. It later updated the system to limit bad actors from launching automated attacks.
“Data privacy is of utmost importance to us, and we will ensure such instances should not occur in the future,” Vishal Totla, founder of Shipyaari, said in an email response to TechCrunch.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss the 20th anniversary of TechCrunch, and a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Join 10k+ tech and VC leaders for growth and connections at Disrupt 2025
Netflix, Box, a16z, ElevenLabs, Wayve, Hugging Face, Elad Gil, Vinod Khosla — just some of the 250+ heavy hitters leading 200+ sessions designed to deliver the insights that fuel startup growth and sharpen your edge. Don’t miss a chance to learn from the top voices in tech. Grab your ticket before doors open to save up to $444.
Totla said customer PII data will no longer display on the page while loading.
Shipyaari claims to handle more than 5,000 shipments a day. The company also has more than 6,000 active sellers across the country.
Barot underlined that India needed strong data privacy laws to help limit growing instances of data exposures and leaks.
Earlier this month, the Indian government withdrew the long-anticipated Personal Data Protection Bill that was promoted to bring stringent rules to help protect its citizens’ privacy. The legislation alarmed tech giants and raised concerns about how they could manage sensitive user information.
