Soon after MobiKwik officially denied reports of the “largest KYC data breach” for the second time in a month, the hacker in a post on
Raid Forum claimed that he has voluntarily deleted data backups of over 10 crore MobiKwik users. This is a bit surprising as the hacker–who goes by the name “
ninja_storm”– had put up 8.2TB data of MobiKwik users for sale at a price of 1.5 Bitcoin which translates to around Rs 65 lakh just three days back, on March 27, 2021.
While the alleged data breach itself was a public relations nightmare for MobiKwik, what’s concerning here is that the hacker appears to have got access to personal data of 10 crore users of MobiKwik for over a month. According to cyber security researcher Rajshekhar Rajaharia, the hacker got access to the data around January 21, 2021.
This 8.2TB data backup is said to have “email, phone number, passwords, addresses, other apps installed on users’ phone, phone manufacturer’s names, IP addresses, GPS location, etc of 10 crore users. Among the 10 crore users, the data base had bank card details of 4 crore users and merchant KYC data of 30 lakh users. The KYC data included “passports, Aadhaar cards, PAN cards, selfie, store picture proof etc used to get loans on the site,” as per the hacker.
Also read: MobiKwik denies data breach even as users share ‘evidence’ on Twitter
The chain of events of “largest KYC data breach”
February 8, 2021: The hacker joins Raid Forum. His latest name is “
February 24, 2021: For the first time, the hacker posted about the data breach with the subject “BIG DATA LEAK of one of top 3 financial services company from India – 7 TB”. He was seeking replies from “serious buyers”. The hacker did not reveal the name of the company yet.
When viewers demanded proof of data, the hacker said that he had sent “initial proof” to four people. He also said, “ Will setup discord or telegram or jabber and update the thread. We are moving the data to better/more secure servers rn will be done in 24 hrs @ 60-100MBPS.” Later that day, the Discord server was created and the hacker invited people to discuss the data deal.
February 25, 2021: The hacker posts a message on Raid Forum claiming that he lost access to his initial servers while transporting the data to other servers and that there was no real data left with him at all.
February 26, 2021: Cybersecurity researcher Rajshekhar Rajaharia tweets about this data leak for the first time. His tweet did not mention or link the leaked data to MobiKwik.
Again!! 11 Crore Indian Cardholder’s Cards Data Including personal details & KYC soft copy(PAN, Aadhar etc) alleged… https://t.co/y01YaznT5s— Rajshekhar Rajaharia (@rajaharia) 1614353807000
February 27, 2021: Rajaharia pins the leaked data to MobiKwik. “The hacker did not mention the name of the company. The reason why the hacker did not disclose the name of the company that got breached is because he wanted to make some money. Later he created a group on Discord and started to share details as evidence of the breach. Through his sample data, I guessed it belonged to MobiKwik,” Rajaharia told
The Times of India–GadgetsNow.
March 4, 2021: MobiKwik releases its first official statement denying the data leak. claimed that “a media-crazed so-called security researcher” reported a false case of cybersecurity to grab media attention. The company had that their “legal team will be pursuing strict action against this so-called researcher who is trying to malign the brand reputation for ulterior motives.”
A media-crazed so-called security researcher has repeatedly over the last week presented concocted files wasting pr… https://t.co/iug0wm7Jtf— MobiKwik (@MobiKwik) 1614869837000
March 6, 2021: The hacker confirms that the leaked data belongs to MobiKwik and once again claims to have “lost the data”.
March 27, 2021: The hacker posts another message on Raid Forum from the same account. He claims to have recovered all data and informed that it was up for sale at 1.5 BTC (or Rs 65 lakh). A month ago, the hacker said that he had lost all data while shifting it to secure servers.
What’s worth noting here is that the data the hacker had in possession on March 27, 2021 was not enough to access MobiKwik accounts. The same was also pointed out by other “interested parties” terming the leak as “useless”. This is mainly because users need to verify OTPs (delivered via SMS) for logins and transactions on MobiKwik. So, despite having all user data, the hacker could not have stolen money from user’s accounts even if he wanted to.
March 29, 2021: Several users questioned MobiKwik on Twitter about the data breach after finding their details on an Onion portal link. A kind of search engine around the database was created on Onion which allowed people to find personal details of MobiKwik users by searching with email ID. Once they got a match, some users claimed that the data was accurate and indeed sourced from MobiKwik. Few of these users shared screenshots of leaked personal details and posted on Twitter.
What the fuck is this @MobiKwik @MobiKwikSWAT How the hell are my all the cards that are linked to my mobikwik a… https://t.co/XnUefKJrBR— Aanjney Bhardwaj (@bhardwaj_anjney) 1617024026000
March 29, 2021: Hacker claims that he has deleted details of some users from the database after getting deletion requests from people. He also offered to delete all data only if MobiKwik accepted the data breach publicly. “Tweet mobikwik and if they will agree publicly then i’ll take all site down. They are lying for weeks,” he posted on the Raid Forum.
March 30, 2021, 5:13AM: Hacker claims that he hasn’t sold the leaked data. News of the MobiKwik data breach appears on almost all major news sites.
March 30, 3:30PM: MobiKwik releases another statement denying the breach. The company did not accept that “the data available on the darkweb has been accessed from MobiKwik or any identified source.” It further added, “…considering the seriousness of the allegations, and by way of abundant caution, it will get a third party to conduct a forensic data security audit.”
Message from the Company on Data Security – https://t.co/ra4l9hDGRA— MobiKwik (@MobiKwik) 1617098435000
March 30, 6:35PM: Hacker posts another message on Raid Forum claiming that he has deleted all data. “I’ve done this deletion myself and no foul play here. Now all of your data is secure with Mobikwik and no one can misuse it except of course Mobikwik for targeted ads or call which everyone does anyway. We just don’t want to see a company dig themselves deeper and bury themselves in. Guess we all learned some useful life lessons during this past couple of days. Adios,” he said in a long post.
Without revealing the exact reason for giving up on his data, the hacker claims that he does not want to hurt the company ahead of its listing. MobiKwik is targeting an IPO before September 2021 and expects to raise between $200 million and $250 million.
March 30, 7:28PM: Hacker claims that he hasn’t taken any money for deleting data voluntarily in a separate post.
The leaked database had personal details of 10 crore users and the hacker had put a asking price of around Rs 65 lakh or 1.5 Bitcoin. The maths roughly translates to 6 paise per user. With Mobikwik denying the breach, we only have the hacker’s word here that the data has been actually deleted. Also, we have little option but to believe the hacker that he hasn’t sold the data to some other party already. Having said that the leaked data is already claimed to be floating around Telegram groups.
While the data may not be of use in direct financial frauds, it can be used for impersonation, bullying, targeted spam and phishing attempts and other types of online crimes.