Payment app MobiKwik on Monday came under fire for an alleged data leak that has exposed around 8.2 terabytes of data, including know-you-customer (KYC) details, addresses, phone numbers, Aadhaar card data of its users on the dark web. The company, however, denied the breach.
The leak was first reported in February by security researcher Rajshekhar Rajaharia, and the company had denied it at the time. However, on Monday, a link from the dark web began circulating online, and several users confirmed seeing their personal details in it. Many people also posted screenshots of the alleged MobiKwik user data, which, according to sources, was up for sale for 1.5 bitcoin or about $86,000.
While the passwords were encrypted on masked in the data, the other personal details were not.
“Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure,” a MobiKwik spokesperson said.
The researcher, Rajaharia, had tweeted details of the leak on February 26,”11 Crore Indian Cardholder’s Cards Data Including personal details & KYC soft copy(PAN, Aadhar etc) allegedly leaked from a company’s Server in India. 6 TB KYC Data and 350GB compressed mysql dump”.
He followed his tweets by subsequently naming MobiKwik, who he said, had removed an old post about a previous data breach from 2010.
French hacker Robert Baptiste, who goes by the pseudonym Elliot Alderson on Twitter also tweeted on Monday: “Probably the largest KYC data leak in history. Congrats Mobikwik…” and posted a screenshot of the leaked data.
If the breach has indeed occurred, there is very little users can do except demand accountability from the company, a security researcher who did not wish to be named, said.
“Given the large data set, there is a big chance that scammers will be able to scam people and sound more authentic. Even though the passwords seem encrypted in the data, all the other details like PAN Card, Aadhaar card etc have not been masked. This makes anyone listed in the database vulnerable to fraud. The details include phone number email id too so it gives scammers an easy way to reach out to the users,” said independent security researcher Indrajeet Bhuyan.
MobiKwik last week raised $7.2 million in a funding round prior to the listing on the stock exchange. According to Entrackr, Mobikwik’s post-money valuation currently stands at $493 million with the latest funding round.