Tuesday, May 18, 2021
Home News Reports Moneycontrol.com data breach: Personal details of over seven lakh users up for sale on...

Moneycontrol.com data breach: Personal details of over seven lakh users up for sale on Hackers forums – Here is what we know so far

According to the hacker who has posted the dump on the hackers' forum, the database contains 7,73,000 records with personal data of the users

On April 8, Sourajeet Majumdar, an independent security researcher, reported that personal data of over 7 lakh registered users of moneycontrol.com is available on the hackers’ forum for just $350. OpIndia investigated the claims, and here is what we have found so far.

According to the hacker who has posted the dump on the hackers’ forum, the database contains 7,73,000 records with personal data of the users. The hackers claimed that the breach took place around six to seven months ago.

Screenshot of post by hacker

The database contains email, dehashed password, country, phone number, date of birth, gender, address, city, state and more. The majority of the users in the list are from India, said the hacker in the post.

Screenshot of post by hacker

Majumdar contacted the hackers on Telegram

Majumdar tried to contact the hackers on the Telegram ID provided in the post. According to the chat screenshots posted by Majumdar, the hackers claimed that they have details of over 40 million users but want to sell details of only 7 lakh users at the moment. They may sell the whole dump in the future at a higher price. Allegedly, they have some plans with the data dump they have, the chat records revealed.

He further said that the hackers shared information of 40 users with him. When he tried to verify the details, he found out that the majority of them were, in fact, working, and he was able to login with the credentials. He added, “Among the credentials they shared, there were also @moneycontrolcom accounts which had their email address verified which hints that they are not dummy accounts made by the sellers (since only the owner of the email ID can verify the account).”

On further discussion with the hackers, they revealed that the database would be sold to five buyers at $350 each. If a single person wants to take control of the database, they will charge up to €650. The hackers further claimed that the vulnerability they exploited to extract the data has now been fixed.

Reverse searching numbers available in sample

Majumdar and we both tried to match the numbers available in the sample provided by the hackers. The majority of the numbers matched with the names mentioned in the sample accounts the hackers provided, making their claims authentic.

MoneyControl’s reply

Pandurang Nayak, Chief Technology Officer, Digital, Network 18, replied to the thread on April 9 and said that prima facie, the data appears to be an old set. He said, “Appreciate that this has been brought to our attention. Prima facie, this appears to be an old data set. Information pertaining to current users is absolutely safe. The organisation takes its responsibility towards information security very seriously.”

He firther added that the company had protocols in place to prevent data breaches, he said, “The best systems and protocols are in place to prevent data breaches. We review our systems periodically and constantly work to improve the security of our information based on feedback received.” Nayak did not openly accepted that a data breach had happened.

MoneyControl started resetting users’ passwords

On April 10, a user replied to Majumdar’s thread on Twitter and said that MoneyControl had reset his password, claiming it was not in compliance with their latest password policy. The email contained the username and new auto-generated password. Now, as claimed by the CTO that the user information of the new users is safe, it makes one wonder what led them to reset the passwords of the users.

To Nayak’s reply, Majumdar asked him if he acknowledges that there was a breach. He asked what criteria Nayak used to reach the conclusion that the data is old. He also questioned if the accounts were created before they updated the password policy, how the company is going to ensure the security of the users. Nayak did not reply by the time this report was published. We also tried reaching him, but there was no reply so far.

OpIndia reached out to Sourajeet Majumdar

While discussing the breach with OpIndia, Sourajeet Majumdar said that he disagrees with CTO’s statement. He said, “Well though the CTO mentioned in his tweet that the data is old, however, I disagree with his statement. I don’t think, so people’s address, name, DOB and phone number change very often and thus, calling it old data is not justified. Other than that, the login credentials which the hackers provided as a sample are valid and working, and I was able to login to other’s Moneycontrol accounts; thus, this is definitely not old data.”

He further added that data as such are goldmines for Cyber Criminals. “The data, which has been leaked in this incident, is enough to track down a person. Criminals can thus run targeted “Phishing Campaigns” or other “Social Engineering” attacks against users, which might prove to be fatal. Also, since, in this case, even login credentials have been breached, somebody who has access to these credentials can easily log in to the user’s account and make any changes, and nothing can be more worse than this,” he said.

An old data breach can leave users vulnerable

It is not just MoneyControl that tried to wash their hands from the alleged data breach by stating the database looks old. A few days back, when over 500 million user accounts of Facebook were leaked, the tech giant also made similar claims. However, both Facebook and MoneyControl failed to acknowledge that even if the data is old, it can be used by hackers to cause substantial damage.

According to the hacker, the database contains names, phone numbers, email ID and other information. The said information can be used to send spam emails and messages that can lead to financial loss. Even someone is an informed user who does not click on links in spam emails or messages, such messages are no less than a nuisance.

  Support Us  

Whether NDTV or 'The Wire', they never have to worry about funds. In name of saving democracy, they get money from various sources. We need your support to fight them. Please contribute whatever you can afford

OpIndia Staffhttps://www.opindia.com
Staff reporter at OpIndia

Related Articles

Trending now

Newslaundry columnist Sharjeel Usmani gives communal angle to crime to defame Hindus and ‘Jai Shri Ram’

The crime in Haryana which Sharjeel Usmani used to defame Hindus is suspected to be a case of personal rivalry.

Haryana: Police rules out communal angle in murder of Mewat youth Asif, two groups are old political rivals. Details

As per police, Asif had beaten up Pradeep's group members 20 days back, and Pradeep decided to avenge the attack.

From Mumbai 26/11 attacks to Yati Narsinghanand Saraswati assassination plot: How Islamic terrorists use Hindu symbols

Delhi Police recently averted a major assassination attempt against Dasna Devi Temple head-priest Yati Narsinghanand Saraswati.

Odisha: Sonu Sood clarifies after Ganjam DM says they had not received any communication from him regarding bed for COVID patient

The Collector and District Magistrate of Ganjam has called out Sonu Sood after the actor claimed to have arranged a bed.

Punjab: CM Capt Amarinder accused of threatening Congress MLA for raising his voice in 2015 sacrilege case

Pargat Singh revealed to media that Punjab CM through Captain Sandhu said that he should be ready to face action.

West Bengal: TMC goons pelt stones at CBI office, attack journalists, try to break into Raj Bhawan

TMC goons reached Raj Bhawan and began agitating outside the premises. Later, some of the hooligans tried to scale the gate.

Recently Popular

Pakistan based CNN contributor Adeel Raja says world needs another Hitler amidst Israel-Palestine conflict, has history of anti-Semitic tweets

Adeel Raja, freelance contributor at CNN, has said that the world needs a Hitler today amidst the Israel-Palestine conflict.

Odisha: Sonu Sood clarifies after Ganjam DM says they had not received any communication from him regarding bed for COVID patient

The Collector and District Magistrate of Ganjam has called out Sonu Sood after the actor claimed to have arranged a bed.

Vinod Dua’s daughter, who wanted all ‘bhakts’ dead, receives help from a ‘bhakt’ MP while her mother needed critical COVID medicines

BJP supporters lodged their protest about minister chipping in to help the elites in India, when commoners are equally suffering, especially when the elites have not asked for their help.

Assam: Six arrested for disrespecting national flag, accused caught using tricolour as table cloth for Eid feast

An image of Rejina Parvin Sultana, a resident of Assam's Tengnamari village, feasting lunch with her family on the occasion of Eid had gone viral on the internet.

UAE warns Hamas, asks to keep ‘calm’ or lose funding for infrastructure projects in Gaza

Last year, the United States under the Donald Trump administration has helped to broker a peace deal between UAE and Israel in the form of 'Abraham Accords.'

Legendary Australian cricketer slams world media for ‘vulture’ journalism, says Incredible India deserves respect: Here is what he said

In a recent post, the former cricketer has expressed his overwhelming support for India and slammed international media for vulture journalism
- Advertisement -


Connect with us