MobiKwik has denied the breach and accused the security researcher who initially reported the incident as “a media-crazed so-called security researcher” who is “desperately trying to grab media attention.”
Fintech platform MobiKwik is being criticized for hiding a data breach that exposed nearly 8.2TB of data, including sensitive records such as KYC details, phone numbers, addresses, and Adhaar card data.
The leak was first reported in February 2021 by security researcher Rajeshkhar Rajaharia. However, the company denied the news at the time, and it still hasn’t accepted that the breach has occurred.
In fact, in a tweet, the company publically insulted the researcher by calling him “a media-crazed so-called security researcher” who is “desperately trying to grab media attention.”
Details of the Hack
According to the tweet posted by Rajaharia on February 26, card data of approx. 11 crore cardholder Indians was leaked by an Indian company’s server. The tweet read:
“11 crore (11 million) Indian cardholders’ card data, including personal details and KYC soft copy (PAN, Aadhar, etc) allegedly leaked from a company’s server in India. 6 TB of KYC data and 350 GB of compressed MySQL dump”.
The researcher later identified the firm as MobiKwik which brands itself as “a Truly Indian Payments App.” He further alleged that the company removed an old post about another data breach that occurred in 2010. However, MobiKwik stated that it is still up and wasn’t removed.
French hacker Robert Baptiste, who uses the pseudonym Elliot Alderson on Twitter, reported the hack on Monday. In his tweet, Baptiste noted that it could be the largest KYC data breach.
“Probably the largest KYC data leak in history. Congrats Mobikwik…”
Baptiste also posted a screenshot of the exposed data and revealed that the leaked database contained 36,099,759 files and KYC data of nearly 3.5 million people.
Data Up for Sale on Dark Web
On Monday, a link reportedly associated with the dark web began circulating online that contained the leaked MobiKwik data. Many users confirmed seeing their details on that link and posted screenshots of the data.
The passwords were encrypted or masked, but other details weren’t. The data was up for sale for 1.5 bitcoin, which is about $86,000. One user of the Chennai-based payment platform and wallet MobiKwik posted that he saw data containing his name, bank account details, and address on the link circulating on the web.
“All my details including name, address, bank account details are there on the link shared by the independent researcher,” the user said.
Hacker puts searchable link on dark web
The unknown hacker has now uploaded data on a website accessible through the Tor browser. The website lets users search whether their data is involved in the breach or not.
MobiKwik seems to be in a denial mode right from the beginning. The company’s spokesperson stated that it is the work of media-crazed people who are presenting ‘concocted files’ and wasting their time since the company couldn’t find any security lapses.
“Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure,” the company said in a blog post.
3.5 Million Users at Risk
We cannot state with certainty whether the data breach occurred or not. But if it did and the details shared by both the researchers are correct, then 3.5 million MobiKwik users might be vulnerable to scams.
There’s not much that they can do except for demanding risk mitigation from the company. While passwords are encrypted, other crucial data like the PAN card, Aadhaar card, email IDs, contact numbers, and addresses are available. Therefore, anyone listed in the database will remain vulnerable.