How was the OxBykes security vulnerability discovered?

A regular customer was accidentally granted administrative access to the company's database while attempting to contact customer support about a rented bicycle. The flaw was apparently triggered by a specific button within the mobile application that inadvertently provided database access.

What customer information was exposed in the OxBykes breach?

The data breach exposed customer information, including full names, contact details (likely including phone numbers and email addresses), order history and rental records, and other unspecified customer database information.

What official response measures has OxBykes implemented?

OxBykes CEO Tom Widgery confirmed the incident and stated the company is treating the matter 'with the utmost urgency.' The company has implemented several response measures: 1) The security vulnerability has been patched to prevent further unauthorized access, 2) OxBykes is consulting with legal counsel to understand the full implications of the breach, 3) The incident has been reported to the Information Commissioner's Office (ICO) in compliance with data protection regulations, and 4) The company is preparing to directly contact all potentially affected customers.

What type of security flaw caused the OxBykes breach?

The breach was caused by an administrative-level permission error within the mobile app's interface. A specific button within the mobile application inadvertently provided database access, accidentally granting a regular customer administrative access to the company's database.

Has OxBykes reported the breach to regulatory authorities?

Yes, the incident has been reported to the Information Commissioner's Office (ICO) in compliance with UK data protection regulations.

What should OxBykes customers do following this data breach?

OxBykes customers should wait for direct communication from the company, as they are preparing to contact all potentially affected customers. Customers should also monitor their accounts for any suspicious activity and consider changing passwords for their OxBykes account and any other accounts that may use similar information.

In which cities does OxBykes operate?

OxBykes operates bicycle rental services in three major UK cities: Oxford, Cambridge, and London.

Incident

OxBykes mobile app flaw grants admin acces, exposes customer information

Q: How long was the OxBykes vulnerability accessible?

According to the customer who discovered it, who has requested anonymity, this vulnerability was accessible 'throughout the past week' prior to discovery on May 13, 2025.

published: May 23, 2025

Take action: Always validate user permissions on every single API call server-side - never trust that the mobile app or frontend is sending the right user role, and implement proper authorization checks for each endpoint. Databases should NEVER be accessible directly, only through an application layer with controls.

Learn More

OxBykes, a bicycle rental company operating in Oxford, Cambridge, and London, has experienced a significant data breach due to a security flaw in its mobile application.

The incident was discovered on May 13, 2025 and resulted in unauthorized access to sensitive customer information through an administrative-level permission error within the app's interface. A regular customer was accidentally granted administrative access to the company's database while attempting to contact customer support about a rented bicycle.

According to the customer, who has requested anonymity, this vulnerability was accessible "throughout the past week" prior to discovery. The flaw was apparently triggered by a specific button within the mobile application that inadvertently provided database access.

Upon discovering the issue, OxBykes founder Louis Wright personally contacted the customer via WhatsApp on Sunday, acknowledging the error and requesting discretion regarding the confidential information. The data breach exposed customer information, including:

Full names
Contact details (likely including phone numbers and email addresses)
Order history and rental records
Other unspecified customer database information

OxBykes CEO Tom Widgery confirmed the incident on Wednesday, stating that the company is treating the matter "with the utmost urgency." The company has implemented several response measures:

The security vulnerability has been patched to prevent further unauthorized access
OxBykes is consulting with legal counsel to understand the full implications of the breach
The incident has been reported to the Information Commissioner's Office (ICO) in compliance with data protection regulations
The company is preparing to directly contact all potentially affected customers

The number of affected individuals has not been disclosed. OxBykes has characterized the exposure as affecting "a very limited selection of customer data from a small number of customers," but no specific figures have been provided.

The company operates 42 bicycle depots across three major UK cities (25 in Oxford, 14 in Cambridge, and 3 in London), suggesting they have a substantial customer base that could potentially be affected.

OxBykes mobile app flaw grants admin acces, exposes customer information

Read More
Dartmouth College reports data breach caused by exploit …
Australian political parties hit by ransomware attack exposing …
Stillwater Mining Company reports data breach after ransomware …
Lynx ransomware group claims breach of Regis Resources …
European Parliament reports data breach of its recruitment …