The know-your-customer (KYC) information of 3.5 million MobiKwik users has allegedly been leaked, with a hacker asking for 1.5 bitcoins in exchange for 8.2TB of data.
The breach was highlighted by a French security researcher who goes by the name Elliot Anderson. He has flagged such leaks of Indian users' data in the past.
Probably the largest KYC data leak in history. Congrats Mobikwik... pic.twitter.com/qQFgIKloA8— Elliot Alderson (@fs0c131y) March 29, 2021
The leaks, which have apparently been known for a while, were flagged by security researcher Rajshekhar Rajaharia, who had pointed out the existence of the database earlier in March. Reportedly, over 37 million files including the KYC of 3.5 million individuals—100 million phone numbers, emails, passwords, geodata, bank accounts and CC data—were leaked.
The hacker, who had posted onto an onion link on the deep web, reportedly allows users to search for their phone number of mail ids. The hacker called it the “Biggest KYC data leak ever”.
11 Crore Indian CardHolders data alleged leaked from @MobiKwik Server, Hacker claimed. It Seems hacker still have their data. Backup was alleged taken on 20Jan 2021. He claim to have mobikwik access since last 30 days. @RBI @IndianCERT Please look into this matter.#InfoSec #GDPR pic.twitter.com/tBS3U6Oqhw— Rajshekhar Rajaharia (@rajaharia) March 4, 2021
Some users posted saying they had found their data included in the files.
What the fuck is this @MobiKwik @MobiKwikSWAT— Aanjney Bhardwaj (@bhardwaj_anjney) March 29, 2021
How the hell are my all the cards that are linked to my mobikwik account are shown to a certain link ?
Shut down your services.#shamemobikwik pic.twitter.com/yN7C1SoPHT
MobiKwik have denied the leak, saying “Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure.”