A report from an Indian news outlet reveals that 8.2 terabytes of personal data from 3.5 million users had been allegedly leaked from the MobiKwik mobile payment wallet application. The stolen data had been put up for sale on the dark web. The white-hat hacker who had highlighted the data breach had called it “probably the largest KYC data leak in the history”, states the Indian news outlet.
The data leak consisted of ID scans, phone numbers, addresses, emails and passports. All the leaked data had been put up for sale on various hacking forums at 1.5 Bitcoin (BTC) or $86,000. The data breach came into the limelight after some of the MobiKwik users had taken it to social media and posted screenshots of their KYC and financial details on social media. Another news outlet had listed the assets for sale.
“The seller lists the following as included in the massive pack:
- Total 350GB MySQL dumps – > 500 databases
- 99 million – mail, phone, passwords, addresses, lots more data, apps installed, ph manf., IP address, GPS location
- 40 million – 10 digit card, month, year, card hash (sha256)
- lots of databases with all company data
- ~7.5 TB of ~3 million Merchant KYC data – passports, Aadhar cards, pan cards, selfie, store picture proof, etc., used to get loans on the site.”
The latter news outlet reveals that on entering the email addresses of the users’ phone numbers, valid user information is returned. All the details were openly visible to everybody except the password. However, MobiKwik had declined the claim.
MobiKwik states, “Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure,” the latter news provider had reported.
A self-proclaimed internet security researcher had posted a series of tweets where he claimed that data of 11 crore Indians had been put up for sale.
“11 Crore Indian cardholders data allegedly leaked from @MobiKwik server, the hacker claimed. It seems hackers still have their data. The backup was allegedly taken on 20 Jan 2021. He claims to have MobiKwik access for the last 30 days. @RBI @IndianCERT Please look into this matter,” he tweeted on March 4, along with screenshots of the financial details of some users.
MobiKwik said its user and company data is completely safe and secure. “The various sample text files that he has been showcasing prove nothing. Anyone can create such text files to falsely harass any company,” it said. The company also said it would take legal action against this “so-called researcher” trying to “malign our brand reputation for ulterior motives”.
On the 26th of March, he had again tweeted, claiming 11 crore cardholders’ data from India had been allegedly leaked from a company’s server.
“Orphan/unclaimed data of 10 crore Indian debit #creditcard numbers including expiry date/month and KYC photos (PAN, Aadhar) are wandering on the dark web. Responsible (hacker) is saying that their card data is on their database. How it can be on the dark web,” he tweeted.
He had also alleged that MobiKwik had deleted a blog post regarding the earlier unauthorized server access of 2010 after his tweet.
“I think it’s a big controversy now… what was the need of this step. Hiding things is not a solution,” he asked.
MobiKwik had denied the claims and stated that the blog post is still up and had never been deleted.
The experts mentioned that the company would not be able to do much apart from accepting the data leak if it had occurred at all. Last week, MobiKwik had raised nearly $7.2 million in a fresh funding round following the allotment of almost 42,159 preference shares bearing an issue price of Rs 12,450 each share. The company had also planned to go public by September this year.
The alleged data steal of the Indian wallet application, MobiKwik, highlights the significance of avoiding the central databases that store the user data. Many individuals in the Bitcoin community emphasized avoidance of the KYC collection as it is devoid of third parties, ensuring their owners’ Bitcoin funds are highly protected.
Despite the fact, this may come from an overabundance of caution. But the alleged MobiKwik hack reasonably demonstrates the benefit behind following the privacy practices.
Source: Bitcoin Magazine
Disclaimer: Read the complete disclaimer here.