Mobikwik denies data breach as cybersecurity researchers say 3.5 million users' data for sale
8.2TB of data is being put up for sale on the deep web for 1.5 bitcoins
8.2TB of data is being put up for sale on the deep web for 1.5 bitcoins
8.2TB of data is being put up for sale on the deep web for 1.5 bitcoins
8.2TB of data is being put up for sale on the deep web for 1.5 bitcoins
The know your customer (KYC) information of 3.5 million MobiKwik users has allegedly been leaked, with a hacker asking for 1.5 bitcoins in exchange for 8.2TB of data.
The breach was highlighted by a French security researcher who goes by the name Elliot Anderson, who has highlighted such leaks in the past.
<blockquote class="twitter-tweet"><p lang="en" dir="ltr">Probably the largest KYC data leak in history. Congrats Mobikwik... <a href="https://t.co/qQFgIKloA8">pic.twitter.com/qQFgIKloA8</a></p>— Elliot Alderson (@fs0c131y) <a href="https://twitter.com/fs0c131y/status/1376486314296676360?ref_src=twsrc%5Etfw">March 29, 2021</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
The leaks, which have apparently been known for a while, were flagged by security researcher Rajshekhar Rajaharia, who had pointed out the existence of the database earlier in March. Reportedly, over 37 million files including the KYC of 3.5 million individuals—100 million phone numbers, emails, passwords, geodata, bank accounts and CC data—were leaked.
<blockquote class="twitter-tweet"><p lang="en" dir="ltr">Again!! 11 Crore Indian Cardholder's Cards Data Including personal details & KYC soft copy(PAN, Aadhar etc) allegedly leaked from a company's Server in India. 6 TB KYC Data and 350GB compressed mysql dump.<a href="https://twitter.com/RBI?ref_src=twsrc%5Etfw">@RBI</a> <a href="https://twitter.com/IndianCERT?ref_src=twsrc%5Etfw">@IndianCERT</a> <a href="https://twitter.com/hashtag/InfoSec?src=hash&ref_src=twsrc%5Etfw">#InfoSec</a> <a href="https://twitter.com/hashtag/dataprotection?src=hash&ref_src=twsrc%5Etfw">#dataprotection</a> <a href="https://twitter.com/hashtag/Finance?src=hash&ref_src=twsrc%5Etfw">#Finance</a> <a href="https://t.co/yjc7davH3k">pic.twitter.com/yjc7davH3k</a></p>— Rajshekhar Rajaharia (@rajaharia) <a href="https://twitter.com/rajaharia/status/1365324943630561281?ref_src=twsrc%5Etfw">February 26, 2021</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
The hacker, who had posted onto an onion link on the deep web, reportedly allows users to search for their phone number of mail ids. The hacker called it the “Biggest KYC data leak ever”.
Some users posted saying they had found their data included in the files.
<blockquote class="twitter-tweet"><p lang="en" dir="ltr">What the fuck is this <a href="https://twitter.com/MobiKwik?ref_src=twsrc%5Etfw">@MobiKwik</a> <a href="https://twitter.com/MobiKwikSWAT?ref_src=twsrc%5Etfw">@MobiKwikSWAT</a> <br>How the hell are my all the cards that are linked to my mobikwik account are shown to a certain link ? <br>Shut down your services.<a href="https://twitter.com/hashtag/shamemobikwik?src=hash&ref_src=twsrc%5Etfw">#shamemobikwik</a> <a href="https://t.co/yN7C1SoPHT">pic.twitter.com/yN7C1SoPHT</a></p>— Aanjney Bhardwaj (@bhardwaj_anjney) <a href="https://twitter.com/bhardwaj_anjney/status/1376524652986556426?ref_src=twsrc%5Etfw">March 29, 2021</a></blockquote> <script async src="https://platform.twitter.com/widgets.js" charset="utf-8"></script>
MobiKwik have denied the lea, saying “Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure.”