8.2 TB of MobiKwik user data allegedly hacked; company denies breach

Payment app on Monday came under fire for an alleged data leak that has exposed around 8.2 terabytes of data, including know-you-customer (KYC) details, addresses, phone numbers, Aadhaar card data of its users on the The company, however, denied the breach.

The leak was first reported in February by security researcher Rajshekhar Rajaharia, and the company had denied it at the time. However, on Monday, a link from the began circulating online, and several users confirmed seeing their personal details in it. Many people also posted screenshots of the alleged user data, which, according to sources, was up for sale for 1.5 bitcoin or about $86,000.

While the passwords were encrypted on masked in the data, the other personal details were not.

“Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure,” a spokesperson said.

The researcher, Rajaharia, had tweeted details of the leak on February 26,”11 Crore Indian Cardholder’s Cards Data Including personal details & KYC soft copy(PAN, Aadhar etc) allegedly leaked from a company’s Server in India. 6 TB KYC Data and 350GB compressed mysql dump”.

He followed his tweets by subsequently naming MobiKwik, who he said, had removed an old post about a previous from 2010.

French hacker Robert Baptiste, who goes by the pseudonym Elliot Alderson on Twitter also tweeted on Monday: “Probably the largest KYC data leak in history. Congrats Mobikwik…” and posted a screenshot of the leaked data.

If the breach has indeed occurred, there is very little users can do except demand accountability from the company, a security researcher who did not wish to be named, said.

“Given the large data set, there is a big chance that scammers will be able to scam people and sound more authentic. Even though the passwords seem encrypted in the data, all the other details like PAN Card, Aadhaar card etc have not been masked. This makes anyone listed in the database vulnerable to fraud. The details include phone number email id too so it gives scammers an easy way to reach out to the users,” said independent security researcher Indrajeet Bhuyan.

MobiKwik last week raised $7.2 million in a funding round prior to the listing on the stock exchange. According to Entrackr, Mobikwik’s post-money valuation currently stands at $493 million with the latest funding round.

Dear Reader,

Business Standard has always strived hard to provide up-to-date information and commentary on developments that are of interest to you and have wider political and economic implications for the country and the world. Your encouragement and constant feedback on how to improve our offering have only made our resolve and commitment to these ideals stronger. Even during these difficult times arising out of Covid-19, we continue to remain committed to keeping you informed and updated with credible news, authoritative views and incisive commentary on topical issues of relevance.

We, however, have a request.

As we battle the economic impact of the pandemic, we need your support even more, so that we can continue to offer you more quality content. Our subscription model has seen an encouraging response from many of you, who have subscribed to our online content. More subscription to our online content can only help us achieve the goals of offering you even better and more relevant content. We believe in free, fair and credible journalism. Your support through more subscriptions can help us practise the journalism to which we are committed.

Support quality journalism and subscribe to Business Standard.

Digital Editor

Source link