In what is being called the biggest data leak in Indian history, several independent cybersecurity researchers have found that the personal data of over 10 crore customers of startup Mobikwik, is now available for sale on the dark web.
The Gurugram-based fintech company has continued to deny its role in the leak, calling the researchers that made the breach public “media-crazed” and accusing them of presenting “concocted files” as evidence. “We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure,” said a Mobikwik spokesperson.
A note to our users. https://t.co/J3WRM0Ko8v— Bipin Preet Singh (@BipinSingh) 1617097607000
While the nature and details of the alleged breach were flagged by security researchers Technadu and Rajshekhar Rajaharia over a month ago, several other independent researchers, including French security researcher Robert Baptiste aka ‘Elliot Alderson’, have since confirmed the hack.
Over 8 terabytes (TB) worth of personal user information such as email ids, phone numbers, names, addresses, passwords, GPS locations, and data related to users’ mobile devices was taken from Mobikwik’s main server by a hacker named ‘Jordan Daven’ and put on dark-web forums on January 20, Rajaharia said. “Regular keys and passwords should have been changed and logs should have been monitored to prevent this kind of security compromise,” he said.
The personal data of merchants that have procured loans through Mobikwik is also said to be on sale in exchange for bitcoins. The leak reportedly also contains card numbers and hashes of over four crore Mobikwik customers.
Independent researcher Avinash Jain also verified the alleged leak and said data on users is from as recently as January. “The personal data of users can be accessed in plain text and are stored insecurely on their servers,” Jain said. “It seems the attacker got hold of their cloud infrastructure and was able to access data stores where this information was stored.”
Jain added that data breaches are on the rise and that Indian startups need to take the security of their users’ data more seriously.
In recent months, several Indian startups have suffered massive data breaches. Mobikwik joins a list of other high-profile targets, including grocery e-tailer Big Basket, educational technology platform Unacademy and payment aggregator JusPay.
The Reserve Bank of India is learnt to be monitoring these security breaches and has introduced several new rules, including the impending payment aggregator and payment gateway guidelines, which would restrict the exposure of customer data to a few servers of licensed gateways.
Founded in 2009 by Bipin Preet Singh and Upasana Taku, Mobikwik counts the likes of Sequoia Capital and American Express as its investors. The fintech platform is eyeing a public listing in FY22. Apart from its digital wallet services, it also offers credit and insurance to merchants and consumers.