Monday, May 17, 2021
Home Specials OpIndia Explains All you need to know about the Big Basket data breach: Hackers allegedly release...

All you need to know about the Big Basket data breach: Hackers allegedly release data of 20 million Big Basket users for free

It is believed that the data is from the infamous October 2020 breach. The information security firm Cyble Inc. had identified the breach and published a post on November 7 on its website.

On April 25, a hacker group identified as ShinyHunters allegedly released data of 20 million Big Basket users for free on a hacker forum. The hacker wrote that the data file contains email, password (hashed), name, phone number, address, order details and other information of the users. It is believed that the data is from the infamous October 2020 breach. The information security firm Cyble Inc. had identified the breach and published a post on November 7 on its website.

Post by Shinyhunters on hackers’ forum

What had happened in 2020?

As per a detailed report published by global threat intelligence SaaS provider Cyble, the alleged data breach happened on October 14, 2020. Cyble detected the breach on October 30 during its routine Dark Web Monitoring. The data was available for $40,000.  Cyble validated the data, and on November 1, they informed BigBasket about the breach. The company urged them not to disclose the breach. Cyble advised them to let the customers know as they have the right to know about the breach.

On November 2, Cyble started informing the customers about the breach. VP-Engineering, Big Basket, approached Cyble for support and service, but Cyble refused, stating it was a high-risk engagement. However, later Cyble agreed to provide free/non-obligatory services. Big Basket was supposed to disclose the agreement between Cyble and Big Basket, but nothing happened from Big Basket’s end.

On November 7, Cyble made a public disclosure about the breach. On November 9, Big Basket acknowledged that the data was leaked. It has to be noted that not only the data of Big Basket but other companies were also compromised. Cyble later found out that the infamous hacker group ShinyHunters was behind the breach. On November 12, it was revealed that a threat actor identified as The Polaris had paid ShinyHunters $40,000 for the data.

Cyble named in FIR by Big Basket

Interestingly, Big Basket named Cyble in its FIR registered on November 6, 2020, with the cyber cell of the Bengaluru Police against the data breach. Cyble said, “Ironically, it appears that the complaint has made against Cyble itself – who was the informant of the breach aka “shooting the messenger. Cyble reportedly handed over the matter to its legal team to take appropriate action against Big Basket over alleged false accusations.

Disclosure by Big Basket

On November 10, Big Basket made a disclosure statement on social media platforms and said that as the company has been using OTP for login, there was no need to change the password. However, the company did not say anything about the other information like name, address, phone number etc., getting leaked.

“The only customer data that we maintain are email IDs, phone numbers, order details, and addresses, so these are the details that could potentially have been accessed. We have a robust information security framework that employs best-in-class resources and technologies to manage our information. We will continue to proactively engage with best-in-class information security experts to strengthen this further,” Bigbasket said.

After the recent uproar, the company again issued a statement and said that no further action required. However, it does not mention that the data leaked has personal information including name, address and phone numbers that can be used by scammers.

What is in the data?

The SQL file that is available for free to download on the hackers’ forum allegedly contains full names, email IDs, password hashes (potentially hashed OTPs), pin, contact numbers (mobile + phone), full addresses, date of birth, location, and IP addresses of login among many others. OpIndia’s sources have revealed that the data made available by ShinyHunters on the hackers’ forum is legit, and it has all the information mentioned in the description. We cross-checked the information provided by our sources who had access to the data and confirmed it was true.

Experts’ views on the data breach

Alon Gal of UnderTheBreach said in a tweet thread, “To better understand how bad this type of hash is for the passwords, I can test 700,000,000,000 (700 billion) attempts at a password per minute with my RTX 3080.” “These passwords are essentially plaintext,” he added.

While talking to OpIndia, Sourajeet Majumder, Independent Security Researcher, called it shocking and disappointing. He said, “The leaked dataset includes phone numbers and other details of many famous personalities as well who are possibly users of Big Basket. I even found my own PII data as a part of the dataset, which was quite shocking and disappointing for me.”

He added that there are high chances that this dataset which has been publicly dumped, is the same dataset for sale a few months back. “Since the scale of this data breach is quite alarming, Big Basket must look into this asap and notify it’s users about this breach so that they can stay alert from any scam calls or phishing campaigns,” he added.

To stay on the safer side, user’s too must change the passwords of their social media accounts, if they have been using the same password which they once used to sign up on Big Basket. Additionally, they can visit haveibeenpwned.com to check if their PII data was leaked in this breach.

Sunny Nehra, Admin at Hacks And Security, told OpIndia that Big Basket should come forward and inform its users about the corrective steps it has taken since the breach. He also insisted that users should change their passwords to be on the safer side. “As the data has a lot of personal information, I would advise Big Basket users to stay cautious of the malicious links in emails and messages. Scammers, hackers and threat actors can use such data breach to initiate scams that can lead to financial losses.”

Troy Hunt of HaveIBeenPwned said that the 52% of the breached data information was already available on the website. Additional information has been added, and users can check if their information was leaked.

Where to check if your information has been leaked?

Cable made the breached information available on AmiBreached.com. Android and iOS users can get full access to their services by downloading the mobile application. You can also check it on HaveIBeenPwned.com.

About ShinyHunters

The group has been active since 2015. Other aliases of the group are Shiny Hunters, #TheDarkOverlord, Gnostic Players. NightLionSecurity reported that in 2016 they started began terrorizing and extorting organizations. It gained popularity due to the extortion of medical providers and the sale of stolen medical records. In 2017, they started extorting companies like Disney, Netflix and others, saying they will release advanced copies of their productions if their ransom demands were not met. In January, they announced a “change of ownership” on Twitter. NightLionSecurity said that the actions taken as part of The Dark Overload can be traced back to a hacker identified as Christopher Meunier of Calgary from Canada.

Ways to avoid cyber attacks

  • Do not click on any unverified or unidentified links in emails, messages or on social media platforms.
  • Do not open attachments from untrusted senders.
  • Download media from websites that you trust.
  • Do not plugin unfamiliar USBs into your computer.
  • Keep your security software updated and backup your data regularly.
  • Keep your passwords unpredictable. Do not use names, birthdates and other identifiable information. Change passwords regularly.

  Support Us  

Whether NDTV or 'The Wire', they never have to worry about funds. In name of saving democracy, they get money from various sources. We need your support to fight them. Please contribute whatever you can afford

Anurag
Multimedia graduate by education. Writer by profession. Poet by heart.

Related Articles

Trending now

Pakistan based CNN contributor Adeel Raja says world needs another Hitler amidst Israel-Palestine conflict, has history of anti-Semitic tweets

Adeel Raja, freelance contributor at CNN, has said that the world needs a Hitler today amidst the Israel-Palestine conflict.

From ‘lagbhag mana’ to putting up poster by AAP leader as DP to attack PM Modi, things have come a long way for Rahul...

Earlier in the day, Rahul Gandhi had put up the poster and urged PM Modi to arrest him. It is imperative to note here that Rahul Gandhi himself is out on bail in the National Herald corruption case as well as many other cases.

‘F*ck the Jews’, ‘F*ck their daughters, mothers’: Viral video from London shows pro-Palestine protesters advocating rape of Jewish women

A video has gone viral on the internet that purportedly shows pro-Palestine demonstrators abusing Jews in the vilest of words.

Malerkotla: All you need to know about the 23rd district of Punjab with a Muslim-majority population

Muslim appeasement at display? Congress-led Punjab government announced Muslim-dominating Malerkotla as district

Understanding Cytokine Storm: What it is and how it may be responsible for Covid-19 related deaths

Cytokine Storm happens when the body releases too many Cytokine, it leads to immune system attacking own body cells

Rakesh Tikait threatens to defeat BJP in Uttar Pradesh where assembly elections are slated for next year

The 'apolitical' farmer movement has been nothing but political from the beginning.

Recently Popular

Legendary Australian cricketer slams world media for ‘vulture’ journalism, says Incredible India deserves respect: Here is what he said

In a recent post, the former cricketer has expressed his overwhelming support for India and slammed international media for vulture journalism

Watch: Pro-Palestine mob attacks Jewish man in Canada while chanting Allahu Akbar

A jewish girl who went tried to save the girl was also molested in Canada by pro-Palestine mob

Pakistan based CNN contributor Adeel Raja says world needs another Hitler amidst Israel-Palestine conflict, has history of anti-Semitic tweets

Adeel Raja, freelance contributor at CNN, has said that the world needs a Hitler today amidst the Israel-Palestine conflict.

Assam: Six arrested for disrespecting national flag, accused caught using tricolour as table cloth for Eid feast

An image of Rejina Parvin Sultana, a resident of Assam's Tengnamari village, feasting lunch with her family on the occasion of Eid had gone viral on the internet.

Malerkotla: All you need to know about the 23rd district of Punjab with a Muslim-majority population

Muslim appeasement at display? Congress-led Punjab government announced Muslim-dominating Malerkotla as district

‘This man is filming us, beat him up, so what if’s a cop’: Mob beats up policeman in a kabristan in Ahmedabad on Eid

Bhavsingh, who was following the orders of his seniors, was on duty to gather intel in Juhapura when he found his way to the kabristan and saw COVID protocols being flouted.
- Advertisement -

 

Connect with us

255,133FansLike
544,913FollowersFollow
24,300SubscribersSubscribe