The recent data breach of the popular Nepali short video app Ramailo has raised serious questions about cybersecurity and data protection in Nepal. On December 15, a hacker by the name of Deadlyweapon1337 leaked the personal data of over 20,000 Ramailo users on the dark web hacking forum Breach Forums hosted in dark web.
The leaked data includes full names, email addresses, phone numbers, home addresses, dates of birth, bios, profile pictures, and other sensitive information. This exposes Ramailo users to significant privacy violations and potential fraud or identity theft.
The hacker claims to have backdoor access to Ramailo’s servers and can leak 269,000+ user profiles anytime. Experts have attributed the breach to an IDOR (Insecure Direct Object Reference) vulnerability. IDOR occurs when access controls are improperly managed, allowing one user to access another user’s data, but while observing the algorithms of the app IDOR has not been performed hacker has exploited the features of the app which led the hacker to retrieve all the data easily in JSON format.
Essentially, there was a flaw in Ramailo’s user profile pages that allowed the hacker to increment profile IDs and scrape user information without authentication. This incident highlighted the Nepali tech industry’s lack of awareness and resources for cybersecurity.
Ramailo as an alternative to TikTok which was banned by the government on November 13. Nevertheless, with the increasing popularity of local apps, it is evident that the protection of user data and privacy is not given due priority. Ramailo, which recently secured seed funding from private Nepali investors and venture capital (VC) firms, lacks substantial evidence indicating that basic due diligence regarding security was conducted either before or after the investment. This highlights the overall immaturity of Nepal’s startup ecosystem.
Cybersecurity is often treated as an afterthought or add-on. Most founders with no technical background fail to consider data protection as a core product requirement from day one. Investors racing to grow their portfolios also rarely account for security risks in their models. With fast growth and scale as the end goals, security loopholes can intentionally or unintentionally get overlooked. The costs of short-changing security, however, as evident in this breach, are massive. Lives are seriously impacted once sensitive personal data gets auctioned on the dark web.
The policy vacuum in Nepal that enabled the breach
While the startup ecosystem jumped the gun on security, the policy vacuum in Nepal is equally culpable for enabling the Ramailo breach. The government’s near-total lag in keeping up with digital adoption has fostered ideal conditions for safety incidents like this to recur. Unlike the EU’s strict GDPR policy or India’s in-the-works data protection bill, Nepal currently lacks any dedicated legal framework covering cybersecurity, privacy, or online harms.
Digital rights issues are simply not seen as a pressing priority by lawmakers and rarely make the national legislative agenda. Even previous attempts at bills meant to tackle cybercrime specifically have remained in limbo for years. As a result, the country’s fast-growing internet population remains largely unprotected and unaware. Without robust laws or penalties holding companies accountable, data security is treated as an expendable line item or cost centre.
Startups like Ramailo can rush to growth without ever safeguarding actual users. The citizens meanwhile embracing apps with enthusiasm also lack basic awareness of modern cyber threats and data vulnerabilities. There are no requirements for companies to be transparent about security practices or breach incidents.
Essentially, Nepal’s failure to update policy has produced a worst-case scenario in the digital era: millions of normal citizens rely on apps daily but stay deeply exposed at the individual level, while the companies mining their data have no real obligations, oversight, or repercussions.
This policy vacuum explains why Ramailo could suffer a devastating breach exposing 20,000+ people yet issue no response. The lack of laws governing data responsibility provides sufficient leeway for negligence. Had strong legal protections, compliance requirements, and threat deterrence been instituted proactively, startups would have approached security and transparency more seriously from day one.
Instead, not only was the breach able to occur and put thousands of Nepalis at lifelong risk, but Ramailo faced no real pushback denying involvement outright. Ultimately Nepal’s failure to close the digital policy gap furnished the conditions allowing this traumatic identity theft crisis to strike its citizens. Until lawmakers wake up to the new technical realities, such avoidable incidents are bound to repeat.
Why the Ramailo breach matters
The damage from the Ramailo case is not just to the 20,000 users already doxed but the precedent it sets for the future. The breach exposed highly sensitive information putting people at risk of fraud, identity theft, social engineering attacks, and traumatic abuse or extortion.
The black market value of bulk personal data continues to grow as demand rises from cyber criminals globally. Once data enters this marketplace, victims have no control over how it spreads or gets misused by malicious actors. There are already indications the Ramailo data is being traded between groups specialising in ID theft and scamming.
Beyond immediate threats, the breach also causes lasting damage where victims remain perpetually vulnerable. Stolen data can resurface years later without warning as it gets recycled between criminal forums. Every future app or platform people sign up for also stays susceptible to automated credential stuffing attacks.
The breach also serves as a template for similar attacks on other homegrown apps. Local startups have exploded since the TikTok ban but neglect cybersecurity measures in their rush to growth. As Nepal-made apps from shopping to gaming apps take off, the risks will compound for end-users.
Similarly, Supreme Court Advocate Newal Chaudhary says that the numerous data leaks in Nepal have a significant impact on user privacy. He suggests that the government should expedite the creation of legislation to regulate the privacy of individuals as a crucial and timely measure.
Ramailo’s response notably sets another dreadful precedent. The blanket denial and silence from its founders demonstrate Nepali tech companies feel zero accountability towards users once the initial app signup is done.
Their notions of safety, security, and customer service do not account for breach incidents most view as external or one-off cases. Ultimately, the government’s inaction and the technology industry’s immaturity have directly facilitated the country’s first mass data breach. And based on the ambivalent reactions so far, the victims face a nightmare of getting justice or future reform.
Ongoing fallout
Despite detailed data being leaked on the breach forum, Ramailo has yet to acknowledge any security incident to its users or the public. Across social media, victims have recounted being unable to get any response from the company on record.
Multiple journalists have also faced similar denial or silence from founders when contacted about the breach. There are no assurances that the police have opened formal investigations, but no outcomes have been declared yet.
This leaves users whose highly sensitive personal data was leaked wrestling confusion, anxiety, and trauma without support. The platforms meant to connect people and enable self-expression now carry feelings of intrusion and betrayal.
Victims also bear the deep uncertainty of how their stolen data will get exploited and fear what future harms await them. Those most exposed like women, minors, and marginalized groups feel especially shaken about potential surveillance, tracking, doxing or extortion.
