Shipyaari, a Mumbai-based software company that offers shipping logistics to major consumer brands, exposed the personal data of thousands of its customers because of a months-long spill of its internal shipment information. The exposed data included Shipyaari customers’ names, addresses, phone numbers, order invoice amounts and delivery status.

Shipyaari’s client tracking page was not password protected and could be viewed by anyone who had the web address. Shipyaari fixed the exposure by removing customers’ personally identifiable information (PII) from the tracking page and restricted its access with a one-time PIN (OTP) system. It later updated the system to limit bad actors from launching automated attacks.