While the alleged data breach itself was a public relations nightmare for MobiKwik, what’s regarding right here is that the hacker seems to have entry to private data of 10 crore customers of MobiKwik for over a month. According to cyber safety researcher Rajshekhar Rajaharia, the hacker bought entry to the data round January 21, 2021.
This 8.2TB data backup is alleged to have “email, phone number, passwords, addresses, other apps installed on users’ phone, phone manufacturer’s names, IP addresses, GPS location, etc of 10 crore users. Among the 10 crore users, the data base had bank card details of 4 crore users and merchant KYC data of 30 lakh users. The KYC data included “passports, Aadhaar cards, PAN cards, selfie, store picture proof etc used to get loans on the site,” as per the hacker.
Also learn: MobiKwik denies data breach at the same time as customers share (*1*)s price noting right here is that the data the hacker had in possession on March 27, 2021 was not sufficient to entry MobiKwik accounts. The identical was additionally identified by different “interested parties” terming the leak as “useless”. This is principally as a result of customers have to confirm OTPs (delivered by way of SMS) for logins and transactions on MobiKwik. So, regardless of having all consumer data, the hacker couldn’t have stolen cash from consumer’s accounts even when he needed to.
March 29, 2021: Several customers questioned MobiKwik on Twitter about the data breach after discovering their particulars on an Onion portal hyperlink. A form of search engine round the database was created on Onion which allowed folks to search out private particulars of MobiKwik customers by looking out with e mail ID. Once they bought a match, some customers claimed that the data was correct and certainly sourced from MobiKwik. Few of these customers shared screenshots of leaked private particulars and posted on Twitter.
What the fuck is that this @MobiKwik @MobiKwikSWAT How the hell are my all the playing cards which might be linked to my mobikwik a… https://t.co/XnUefKJrBR
— Aanjney Bhardwaj (@bhardwaj_anjney) 1617024026000
March 29, 2021: Hacker claims that he has deleted particulars of some customers from the database after getting deletion requests from folks. He additionally provided to delete all data provided that MobiKwik accepted the data breach publicly. “Tweet mobikwik and if they will agree publicly then i’ll take all site down. They are lying for weeks,” he posted on the Raid Forum.
March 30, 2021, 5:13AM: Hacker claims that he hasn’t bought the leaked data. News of the MobiKwik data breach seems on nearly all main information websites.
March 30, 3:30PM: MobiKwik releases one other assertion denying the breach. The firm didn’t settle for that “the data available on the darkweb has been accessed from MobiKwik or any identified source.” It additional added, “…considering the seriousness of the allegations, and by way of abundant caution, it will get a third party to conduct a forensic data security audit.”
Message from the Company on Data Security – https://t.co/ra4l9hDGRA
— MobiKwik (@MobiKwik) 1617098435000
March 30, 6:35PM: Hacker posts one other message on Raid Forum claiming that he has deleted all data. “I’ve done this deletion myself and no foul play here. Now all of your data is secure with Mobikwik and no one can misuse it except of course Mobikwik for targeted ads or call which everyone does anyway. We just don’t want to see a company dig themselves deeper and bury themselves in. Guess we all learned some useful life lessons during this past couple of days. Adios,” he mentioned in a protracted publish.
Without revealing the precise cause for giving up on his data, the hacker claims that he doesn’t need to harm the firm forward of its itemizing. MobiKwik is concentrating on an IPO earlier than September 2021 and expects to boost between $200 million and $250 million.
March 30, 7:28PM: Hacker claims that he hasn’t taken any cash for deleting data voluntarily in a separate publish.
The leaked database had private particulars of 10 crore customers and the hacker had put a asking value of round Rs 65 lakh or 1.5 Bitcoin. The maths roughly interprets to six paise per consumer. With Mobikwik denying the breach, we solely have the hacker’s phrase right here that the data has been truly deleted. Also, we’ve little choice however to consider the hacker that he hasn’t bought the data to another social gathering already. Having mentioned that the leaked data is already claimed to be floating round Telegram teams.
While the data is probably not of use in direct monetary frauds, it may be used for impersonation, bullying, focused spam and phishing makes an attempt and different sorts of on-line crimes.