Thursday, April 15, 2021
Home News Reports Data of over 3.5 million MobiKwik users up for sale on darknet by hackers:...

Data of over 3.5 million MobiKwik users up for sale on darknet by hackers: January hack, what OpIndia found and what users can do

Sanjeev Gupta, Secretary at ISCS, Ministry of Home Affairs, Government of India, said in a Tweet thread that after learning about the breach, he contacted some tech experts who informed him that his information was, in fact, available in the data dump.

On March 29, it was reported by several cybersecurity experts and media agencies that ‘Know Your Customer (KYC) data of millions of users of payment app Mobikwik is up for sale on the dark web.

Notably, the alleged breach was first reported by a security researcher Rajshekhar Rajaharia on February 26. His claims were earlier denied by Mobikwik. However, several experts say that they were able to access some of the leaked data on the dark web. Several screenshots of the personal data of Mobikwik users has been published on social media network in the last couple of days. According to BGR, the data contains

  • Total 350GB MySQL dumps – > 500 databases
  • 99 million — email ID, phone, passwords, addresses, apps installed, phone manufacturer, IP address, and GPS location
  • 40 million — 10 digit card, month, year, card hash
  • ~7.5 TB of ~3 million Merchant KYC data – passports, Aadhar cards, pan cards, selfie, store picture proof, and more used to get loans on the mobile phone-based payment system.

The breach happened in January 2021 – claimed Rajshekhar

In his tweet thread on February 26, Rajshekhar claimed that information of 11 crores Indian cardholders’ card data, including personal details and KYC (PAN, Aadhaar), is up for sale on the darknet. He further added that the breach happened from the data centre of the company located in India. As per his post, the data comprises 6 TB of KYC data and 350 GB of compressed MySQL dump.

Rajshekhar claimed that the actors behind the alleged breach claimed that they got access to the server in January 2021 and had access for over a month. He also claimed that the company removed a blog post about the 2010 data breach, but when we checked, it was still available.

Screenshot of the old blog post that Rajshekhar claimed was deleted by the company

What is in the leaked data?

As per the reports, the leaked data contains 36,099,759 files spread over 8.2 TB. It contains KYC details, addresses, email IDs, bank account numbers, credit card details, phone numbers and Aadhaar card numbers of MobiKwik customers. The data is up for sale for 1.5 Bitcoin, which converts to approx USD 85,000.

TechNadu said in a post that the email ids, phone numbers, passwords, apps installed, phone manufacturer, IP address, GPS locations, and other details of users were available in the file that is available on the darknet.

The actors behind the attack who go by the name ninja_storm, said in the sale post that they had recovered the data and it is up for sale. He further added in the post that the data could be used to secure small loans just like the USA but in India. “All data deleted on our end after the transfer,” said the hacker towards the end of the post.

Image source: TechNadu

Experts’ views on the breach

Troy Hunt, founder of Have I Been Pwned, a website that checks if someone’s email address or password was compromised, said in a tweet that companies should not behave as Mobikwik did in its March 4 post. “Try Googling ‘Mobikwik data breach’ now…,” he added.

Alon Gal, co-founder and CTO of Hudson Rock, called it a devastating hack. He said, “For each individual, there is just an astounding amount of information, this is really just a devastating hack, and all the data is up for sale by the threat actors.”

Vikash Chaudhary, CEO at HackersEra, said in a post on LinkedIn that his data is also available in the leak. He said, “India should have a strict data privacy law like the EU having GDPR. The saddest part is my data is also there.”

Kiran Jonnalagadda, the founder at HasGeek, said that the leak is real. In the thread posted by him on Twitter, he showed how one could determine if the hack is real. He said that the date in the dump matches an email that he had received by Mobikwik back in 2013 when he created an account on the app. Talking about the credit card details stored in the data dump, he alleged that he did not remember authorizing Mobikwik for saving the details.

While talking about the mismatch in password hash, he said the mismatch is creating some uncertainty. He added, “A password hash match would have made this irrefutable evidence as the password isn’t reused. Sans that, at this point, the evidence is merely compelling.”

Sunny Nehra, Admin at Hacks and Security, said, “The data is real. Anyone can check that by searching their own mobile no. they shared with Mobikwik. Refusal of hacks or leaks by companies have become common nowadays, and that’s costing a lot to their users. One should deny bogus claims, but real claims must be acknowledged.”

Mobikwik’s March 4 statement irked netizens

On March 4, Mobikwik had denied any data breach. In a tweet thread, they said, “We thoroughly investigated his allegations and did not find any security lapses. Our user and company data is completely safe and secure.”

Mobikwik’s tweet thread denying the breach

The company further added that its legal team is looking into the matter. They said, “our legal team will be pursuing strict action against this so-called researcher who is trying to malign our brand reputation for ulterior motives.”

The month-old tweet thread has been making rounds on the social media platform, and Mobikwik users are not pleased with the denial.

Sanjeev Gupta, Secretary at ISCS, Ministry of Home Affairs, Government of India, said in a Tweet thread that after learning about the breach, he contacted some tech experts who informed him that his information was, in fact, available in the data dump. He shared a screenshot of the reply he got and said, “Mobikwik denied it on March 4. So, I tried URL sent to me on DM by some techies & also available publicly. Got all data including mobile no., email, #ed password, credit cards (fields for apps, CVV2, Expiry too!). I shudder to think for those who did full KVC using Aadhaar.”

He further added that his second mobile number was also in the dump. He urged users not to share all the information with payment solution companies, including Mobikwik, Paytm and Amazon.

Sale of the dump suspended

According to a report published by The Hacker News, the sale of the data dump has been suspended by hackers. They said, “Only sell this to the company after due verification that we are dealing with company,” the hacker said in an update. By the update, it seems like the data dump is going to be used as means to extort money from Mobikwik.

OpIndia’s investigation revealed some truth to the claims

We tried to access the dark web link provided in some of the tweets and found that a lot of information was available. One of our team members was able to find details of a family member’s account.

screenshot

Below the search details, random files from the data dump were published. Here are some copies of such files.

Images of KYC data retrieved from data dump. We have hidden the details for privacy.

What should the users do?

  • First of all, change the password of your account immediately. Go to the link https://www.mobikwik.com/mywallet/settings and then click on Change Password. You can do it from the app too.
  • In the next step, until everything is verified and cleared from the company, it is better to withdraw your money from Mobikwik. You can use the link https://www.mobikwik.com/mywallet/balance.
  • If you have added UPI accounts in the app, please remove them. You can use https://www.mobikwik.com/mywallet/linked-banks for this purpose.
  • If you have added debit or credit cards to the account, it is advised to remove them for a while. Visit https://www.mobikwik.com/mywallet/cards and click on Remove.
  • Please do not authorize any payment link without confirming.
  • Make sure to change the authentication passwords for app and bank accounts.
  • It is better to change your UPI passwords too.
  • In case you notice any unusual activity in your bank account, please contact your nearest police station immediately and inform the concerned banks and authorities.

About MobiKwik

Mobikwik was launched in August 2009 by Bipin Singh and Upasana Taku. Initially, it provided a mobile recharge facility. In 2012, Mobikwik launched an e-wallet system that allowed users to pay bills etc. Now, the company has extended its services to money transfer, loans and insurance as well. RBI authorized its semi-closed e-wallet in 2013. The company is planning to launch its IPO by September this year.

OpIndia has tried to reach out to the founders of MobiKwik. The story will be updated accordingly.

  Support Us  

Whether NDTV or 'The Wire', they never have to worry about funds. In name of saving democracy, they get money from various sources. We need your support to fight them. Please contribute whatever you can afford

Anurag
Multimedia graduate by education. Writer by profession. Poet by heart.

Related Articles

Trending now

Chhattisgarh: Families of deceased COVID-19 patients will now have to pay Rs. 2,500 for “storage” and “carriage” of the bodies

After fixing rates for treating moderate, severe, very serious COVID-19 patients, Chhattisgarh introduces dead body handling charges

CNN hoped for higher Covid-19 death toll, hyped pandemic deaths to improve ratings, technical director admits in Project Veritas leak

CNN Technical Director Charlie Chester went on five Tinder dates with a Project Veritas agent where he made the revelations.

Pakistan on the verge of civil war as it bans TLP for violent protests over the arrest of its leader and Muhammad cartoons in...

Pakistan Government has taken the decision to ban Tehreek-i-Labbaik Pakistan (TLP) for their violent protests in the country

Hindu leader in Panipat explains why he thought it is necessary to come out in streets in support of Yati Narsinghanand Saraswati

A Muslim mob came face to face with Hindu organisations who carried out a sit-in vigil in support of Yati Narsinghanand Saraswati

Amdavad Municipal Corporation introduces ‘drive through’ RTPCR testing as COVID-19 cases surge in the state

First ever drive-through RTPCR testing centre opened in Ahmedabad, Gujarat as the state battles Chinese coronavirus

UP govt ramps up measures to fight the resurgent COVID-19 outbreak, airlifts 25,000 doses of Remdesivir using govt plane from Gujarat

The Uttar Pradesh government is working on a war-footing to blunt the second wave of the COVID-19 outbreak

Recently Popular

Mayor Sadiq Khan vows to bring the Indian Premier League to London to boost his reelection chances: Details

London mayor Sadiq Khan promises to bring the Indian Premier League to the British capital as part of his reelection campaign.

CNN staffer reveals to Project Veritas spy how they ran pro-Biden propaganda to get Donald Trump out of office

CNN Technical Director Charlie Chester went on five Tinder dates with the Project Veritas spy where he ended up making the damning revelations.

Missionaries converted over 1 lakh people amidst the pandemic, claims to have planted more churches than all the 25 years of their work in...

Missionaries claim they used the distress faced by poor people during the lockdown to convert them to Christianity and build more churches

COVID-19 outbreak: Maharashtra to get 100 MT oxygen from Ambani owned Reliance’s Jamnagar plant

Urban development minister Eknath Shinde said that Maharashtra will receive 100 MT of oxygen supply from Reliance's Jamnagar plant

What happened in Chhabra after Hindu man was stabbed by Muslim men: Call for peace, attack on a Hindu the next day and more

On April 12, the administration extended curfew for one more day at Chhabra, Baran district in Rajasthan after the communal riot

OpIndia Exclusive: Tata Communications suffers data leak, hackers claim to have sold access to company’s servers, over 50GB data still up for sale

As per two posts by hackers on a hackers' forum, they have gained access to Tata Communications servers and sold them.
- Advertisement -

 

Connect with us

254,077FansLike
529,111FollowersFollow
24,200SubscribersSubscribe