India’s leading online supermarket BigBasket acknowledged putting sensitive data of more than 20 million users at stake.
US-based cybersecurity firm Cyble Inc. reported that a leading online supermarket in India, BigBasket, has confirmed a data breach in which hackers stole sensitive data of millions of its users.
The Bengaluru-based BigBasket is funded by Mirae Asset-Naver Asia Growth Fund, Alibaba Group, and UK government-owned CDC group. BigBasket rose to fame in the time of lockdown imposed in India during the coronavirus pandemic.
It is an e-commerce platform where consumers can order groceries delivered at home after making payment online. Hence, a variety of sensitive customer data is stored on the app for future transactions, including credit or debit card information, contact numbers, and delivery address.
Reportedly, tens of thousands of BigBasket users’ data is at stake. Cyble claims that its research team discovered a database containing details of over 20million BigBasket users. The database was up for sale at a Dark Web marketplace for around $40,000. The data breach was detected on 31 Oct.
According to researchers, the database has a table named “member_member,” and it is 15GB in size. It includes full names, password hashes and hashed OTPs, email addresses, mobile and phone numbers, pin, date of birth, home address, location, and login IP addresses.
2Cyble Inc. informed BigBasket’s management team about the breach on 1 Nov, just a day after discovering it.
The company acknowledged the breach and has filed a police complaint against the attackers. It also confirmed that debit and credit card data wasn’t exposed. In a statement, the company confirmed that:
“The only customer data we maintain are email IDs, phone numbers, order details, and addresses so these are the details that could potentially have been accessed. We have a robust information security framework that employs best-in-class resources and technologies to manage our information.”