Friday, May 14, 2021
Home News Reports Moneycontrol.com data breach: Personal details of over seven lakh users up for sale on...

Moneycontrol.com data breach: Personal details of over seven lakh users up for sale on Hackers forums – Here is what we know so far

According to the hacker who has posted the dump on the hackers' forum, the database contains 7,73,000 records with personal data of the users

On April 8, Sourajeet Majumdar, an independent security researcher, reported that personal data of over 7 lakh registered users of moneycontrol.com is available on the hackers’ forum for just $350. OpIndia investigated the claims, and here is what we have found so far.

According to the hacker who has posted the dump on the hackers’ forum, the database contains 7,73,000 records with personal data of the users. The hackers claimed that the breach took place around six to seven months ago.

Screenshot of post by hacker

The database contains email, dehashed password, country, phone number, date of birth, gender, address, city, state and more. The majority of the users in the list are from India, said the hacker in the post.

Screenshot of post by hacker

Majumdar contacted the hackers on Telegram

Majumdar tried to contact the hackers on the Telegram ID provided in the post. According to the chat screenshots posted by Majumdar, the hackers claimed that they have details of over 40 million users but want to sell details of only 7 lakh users at the moment. They may sell the whole dump in the future at a higher price. Allegedly, they have some plans with the data dump they have, the chat records revealed.

He further said that the hackers shared information of 40 users with him. When he tried to verify the details, he found out that the majority of them were, in fact, working, and he was able to login with the credentials. He added, “Among the credentials they shared, there were also @moneycontrolcom accounts which had their email address verified which hints that they are not dummy accounts made by the sellers (since only the owner of the email ID can verify the account).”

On further discussion with the hackers, they revealed that the database would be sold to five buyers at $350 each. If a single person wants to take control of the database, they will charge up to €650. The hackers further claimed that the vulnerability they exploited to extract the data has now been fixed.

Reverse searching numbers available in sample

Majumdar and we both tried to match the numbers available in the sample provided by the hackers. The majority of the numbers matched with the names mentioned in the sample accounts the hackers provided, making their claims authentic.

MoneyControl’s reply

Pandurang Nayak, Chief Technology Officer, Digital, Network 18, replied to the thread on April 9 and said that prima facie, the data appears to be an old set. He said, “Appreciate that this has been brought to our attention. Prima facie, this appears to be an old data set. Information pertaining to current users is absolutely safe. The organisation takes its responsibility towards information security very seriously.”

He firther added that the company had protocols in place to prevent data breaches, he said, “The best systems and protocols are in place to prevent data breaches. We review our systems periodically and constantly work to improve the security of our information based on feedback received.” Nayak did not openly accepted that a data breach had happened.

MoneyControl started resetting users’ passwords

On April 10, a user replied to Majumdar’s thread on Twitter and said that MoneyControl had reset his password, claiming it was not in compliance with their latest password policy. The email contained the username and new auto-generated password. Now, as claimed by the CTO that the user information of the new users is safe, it makes one wonder what led them to reset the passwords of the users.

To Nayak’s reply, Majumdar asked him if he acknowledges that there was a breach. He asked what criteria Nayak used to reach the conclusion that the data is old. He also questioned if the accounts were created before they updated the password policy, how the company is going to ensure the security of the users. Nayak did not reply by the time this report was published. We also tried reaching him, but there was no reply so far.

OpIndia reached out to Sourajeet Majumdar

While discussing the breach with OpIndia, Sourajeet Majumdar said that he disagrees with CTO’s statement. He said, “Well though the CTO mentioned in his tweet that the data is old, however, I disagree with his statement. I don’t think, so people’s address, name, DOB and phone number change very often and thus, calling it old data is not justified. Other than that, the login credentials which the hackers provided as a sample are valid and working, and I was able to login to other’s Moneycontrol accounts; thus, this is definitely not old data.”

He further added that data as such are goldmines for Cyber Criminals. “The data, which has been leaked in this incident, is enough to track down a person. Criminals can thus run targeted “Phishing Campaigns” or other “Social Engineering” attacks against users, which might prove to be fatal. Also, since, in this case, even login credentials have been breached, somebody who has access to these credentials can easily log in to the user’s account and make any changes, and nothing can be more worse than this,” he said.

An old data breach can leave users vulnerable

It is not just MoneyControl that tried to wash their hands from the alleged data breach by stating the database looks old. A few days back, when over 500 million user accounts of Facebook were leaked, the tech giant also made similar claims. However, both Facebook and MoneyControl failed to acknowledge that even if the data is old, it can be used by hackers to cause substantial damage.

According to the hacker, the database contains names, phone numbers, email ID and other information. The said information can be used to send spam emails and messages that can lead to financial loss. Even someone is an informed user who does not click on links in spam emails or messages, such messages are no less than a nuisance.

  Support Us  

Whether NDTV or 'The Wire', they never have to worry about funds. In name of saving democracy, they get money from various sources. We need your support to fight them. Please contribute whatever you can afford

OpIndia Staffhttps://www.opindia.com
Staff reporter at OpIndia

Related Articles

Trending now

While Delhi govt was alleging inadequate oxygen supply, data show it was returning oxygen to suppliers, asked them to store the excess

Due to lack of storage plants and not enough demand, Delhi govt had returned oxygen and asked the suppliers to store them

Kamala Harris’ niece wants people to fight for Palestine to protect the LGBT community: Here is how they are treated in Gaza

Kamala Harris' niece Meena Harris has once again found herself in a controversial position amidst the Israel-Palestine conflict

Author attempts to defend Hemkunt foundation on receiving foreign donation without FCRA registration: Here is how she is wrong

Out of last 100 donations to Hemkunt Foundation on Ketto, 63 were foreign contributions amounting over Rs 1 crore

Australia: Hindus outrage at the racist attack after minced beef was found dumped in a community cricket pitch

About 2 kg of minced beef was found dumped on the wicket on the Hargrave Reserve Pitch at Modbury Heights in Adelaide, South Australia. The pitch is used by the local Hindu community.

The façade of Indian secularism: How the uncomfortable truth about realities of Sanatanis is hidden by Lutyens ecosystem

The neatly ordered world according to the Nehruvian idea of India is nothing more than brushing the rubbish under the carpet and pretending upon the cleanliness while ignoring the fact that someday the rubbish will overflow the bounds of the rug.

Israel: Here is why the average Hindu supports them

Israel has no history of animosity against India and her citizens and Israel has stood during India in thick and thin.

Recently Popular

Narcissism at its worse: After doubts were raised on the help being provided by Sonu Sood, actor gets called out for sharing cringe self-laudatory...

After making questionable claims on helping Covid-19 victims, Sonu Sood now shares cartoons that shows him as a God

Israeli actress Gal Gadot, who once hailed ‘Shaheen Bagh dadi’, wishes for safety for Israel, gets hate from Islamists and ‘liberals’ in return

Gal Gadot's prayer for peace in her home country Israel irks up 'liberals' who even accused her of being a genocide enabler.

Israel spy agency Mossad’s parody account pokes fun at Bollywood entertainer Swara Bhasker over her ‘#FreePalestine’ campaign

Swara Bhasker had posted a tweet calling Israel apartheid and terrorist state following the clashes at the Al Aqsa Mosque in Jerusalem

Rihanna gets cancelled by Islamists for saying that Israeli and Palestinian lives are equal

Several social media users slammed Rihanna for her Instagram post mourning the loss of lives on both sides during Israel-Palestine conflict

Watch: Israel Defence Forces destroy 14-floor terrorist hideout inside Gaza in a precision airstrike

"Terror organisations have been hit hard and will continue to be hit because of their decision to hit Israel. We'll return peace and quiet for the long term," Israeli Defence Minister Benny Gantz said.
- Advertisement -

 

Connect with us

254,941FansLike
543,195FollowersFollow
24,300SubscribersSubscribe