Wednesday, July 28, 2021
HomeNews ReportsData of over 3.5 million MobiKwik users up for sale on darknet by hackers:...

Data of over 3.5 million MobiKwik users up for sale on darknet by hackers: January hack, what OpIndia found and what users can do

Sanjeev Gupta, Secretary at ISCS, Ministry of Home Affairs, Government of India, said in a Tweet thread that after learning about the breach, he contacted some tech experts who informed him that his information was, in fact, available in the data dump.

On March 29, it was reported by several cybersecurity experts and media agencies that ‘Know Your Customer (KYC) data of millions of users of payment app Mobikwik is up for sale on the dark web.

Notably, the alleged breach was first reported by a security researcher Rajshekhar Rajaharia on February 26. His claims were earlier denied by Mobikwik. However, several experts say that they were able to access some of the leaked data on the dark web. Several screenshots of the personal data of Mobikwik users has been published on social media network in the last couple of days. According to BGR, the data contains

  • Total 350GB MySQL dumps – > 500 databases
  • 99 million — email ID, phone, passwords, addresses, apps installed, phone manufacturer, IP address, and GPS location
  • 40 million — 10 digit card, month, year, card hash
  • ~7.5 TB of ~3 million Merchant KYC data – passports, Aadhar cards, pan cards, selfie, store picture proof, and more used to get loans on the mobile phone-based payment system.

The breach happened in January 2021 – claimed Rajshekhar

In his tweet thread on February 26, Rajshekhar claimed that information of 11 crores Indian cardholders’ card data, including personal details and KYC (PAN, Aadhaar), is up for sale on the darknet. He further added that the breach happened from the data centre of the company located in India. As per his post, the data comprises 6 TB of KYC data and 350 GB of compressed MySQL dump.

Rajshekhar claimed that the actors behind the alleged breach claimed that they got access to the server in January 2021 and had access for over a month. He also claimed that the company removed a blog post about the 2010 data breach, but when we checked, it was still available.

Screenshot of the old blog post that Rajshekhar claimed was deleted by the company

What is in the leaked data?

As per the reports, the leaked data contains 36,099,759 files spread over 8.2 TB. It contains KYC details, addresses, email IDs, bank account numbers, credit card details, phone numbers and Aadhaar card numbers of MobiKwik customers. The data is up for sale for 1.5 Bitcoin, which converts to approx USD 85,000.

TechNadu said in a post that the email ids, phone numbers, passwords, apps installed, phone manufacturer, IP address, GPS locations, and other details of users were available in the file that is available on the darknet.

The actors behind the attack who go by the name ninja_storm, said in the sale post that they had recovered the data and it is up for sale. He further added in the post that the data could be used to secure small loans just like the USA but in India. “All data deleted on our end after the transfer,” said the hacker towards the end of the post.

Image source: TechNadu

Experts’ views on the breach

Troy Hunt, founder of Have I Been Pwned, a website that checks if someone’s email address or password was compromised, said in a tweet that companies should not behave as Mobikwik did in its March 4 post. “Try Googling ‘Mobikwik data breach’ now…,” he added.

Alon Gal, co-founder and CTO of Hudson Rock, called it a devastating hack. He said, “For each individual, there is just an astounding amount of information, this is really just a devastating hack, and all the data is up for sale by the threat actors.”

Vikash Chaudhary, CEO at HackersEra, said in a post on LinkedIn that his data is also available in the leak. He said, “India should have a strict data privacy law like the EU having GDPR. The saddest part is my data is also there.”

Kiran Jonnalagadda, the founder at HasGeek, said that the leak is real. In the thread posted by him on Twitter, he showed how one could determine if the hack is real. He said that the date in the dump matches an email that he had received by Mobikwik back in 2013 when he created an account on the app. Talking about the credit card details stored in the data dump, he alleged that he did not remember authorizing Mobikwik for saving the details.

While talking about the mismatch in password hash, he said the mismatch is creating some uncertainty. He added, “A password hash match would have made this irrefutable evidence as the password isn’t reused. Sans that, at this point, the evidence is merely compelling.”

Sunny Nehra, Admin at Hacks and Security, said, “The data is real. Anyone can check that by searching their own mobile no. they shared with Mobikwik. Refusal of hacks or leaks by companies have become common nowadays, and that’s costing a lot to their users. One should deny bogus claims, but real claims must be acknowledged.”

Mobikwik’s March 4 statement irked netizens

On March 4, Mobikwik had denied any data breach. In a tweet thread, they said, “We thoroughly investigated his allegations and did not find any security lapses. Our user and company data is completely safe and secure.”

Mobikwik’s tweet thread denying the breach

The company further added that its legal team is looking into the matter. They said, “our legal team will be pursuing strict action against this so-called researcher who is trying to malign our brand reputation for ulterior motives.”

The month-old tweet thread has been making rounds on the social media platform, and Mobikwik users are not pleased with the denial.

Sanjeev Gupta, Secretary at ISCS, Ministry of Home Affairs, Government of India, said in a Tweet thread that after learning about the breach, he contacted some tech experts who informed him that his information was, in fact, available in the data dump. He shared a screenshot of the reply he got and said, “Mobikwik denied it on March 4. So, I tried URL sent to me on DM by some techies & also available publicly. Got all data including mobile no., email, #ed password, credit cards (fields for apps, CVV2, Expiry too!). I shudder to think for those who did full KVC using Aadhaar.”

He further added that his second mobile number was also in the dump. He urged users not to share all the information with payment solution companies, including Mobikwik, Paytm and Amazon.

Sale of the dump suspended

According to a report published by The Hacker News, the sale of the data dump has been suspended by hackers. They said, “Only sell this to the company after due verification that we are dealing with company,” the hacker said in an update. By the update, it seems like the data dump is going to be used as means to extort money from Mobikwik.

OpIndia’s investigation revealed some truth to the claims

We tried to access the dark web link provided in some of the tweets and found that a lot of information was available. One of our team members was able to find details of a family member’s account.

screenshot

Below the search details, random files from the data dump were published. Here are some copies of such files.

Images of KYC data retrieved from data dump. We have hidden the details for privacy.

What should the users do?

  • First of all, change the password of your account immediately. Go to the link https://www.mobikwik.com/mywallet/settings and then click on Change Password. You can do it from the app too.
  • In the next step, until everything is verified and cleared from the company, it is better to withdraw your money from Mobikwik. You can use the link https://www.mobikwik.com/mywallet/balance.
  • If you have added UPI accounts in the app, please remove them. You can use https://www.mobikwik.com/mywallet/linked-banks for this purpose.
  • If you have added debit or credit cards to the account, it is advised to remove them for a while. Visit https://www.mobikwik.com/mywallet/cards and click on Remove.
  • Please do not authorize any payment link without confirming.
  • Make sure to change the authentication passwords for app and bank accounts.
  • It is better to change your UPI passwords too.
  • In case you notice any unusual activity in your bank account, please contact your nearest police station immediately and inform the concerned banks and authorities.

About MobiKwik

Mobikwik was launched in August 2009 by Bipin Singh and Upasana Taku. Initially, it provided a mobile recharge facility. In 2012, Mobikwik launched an e-wallet system that allowed users to pay bills etc. Now, the company has extended its services to money transfer, loans and insurance as well. RBI authorized its semi-closed e-wallet in 2013. The company is planning to launch its IPO by September this year.

OpIndia has tried to reach out to the founders of MobiKwik. The story will be updated accordingly.

  Support Us  

Whether NDTV or 'The Wire', they never have to worry about funds. In name of saving democracy, they get money from various sources. We need your support to fight them. Please contribute whatever you can afford

Anurag
B.Sc. Multimedia, a journalist by profession.

Related Articles

Trending now

Recently Popular

- Advertisement -

 

Connect with us

255,564FansLike
563,353FollowersFollow
24,700SubscribersSubscribe