On April 8, Sourajeet Majumdar, an independent security researcher, reported that personal data of over 7 lakh registered users of moneycontrol.com is available on the hackers’ forum for just $350. OpIndia investigated the claims, and here is what we have found so far.
THIS IS HUGE !! An user of a hacking forum along with his partner are selling personal data of 700K+ users for just $350 which they have allegedly stolen from @moneycontrolcom‘s server 6-7 months back.— Sourajeet Majumder (@TechCrucio) April 8, 2021
1/9@IndianCERT @NCIIPC @sanjg2k1 @internetfreedom #databreach #privacy pic.twitter.com/eiKOlCXQwj
According to the hacker who has posted the dump on the hackers’ forum, the database contains 7,73,000 records with personal data of the users. The hackers claimed that the breach took place around six to seven months ago.
The database contains email, dehashed password, country, phone number, date of birth, gender, address, city, state and more. The majority of the users in the list are from India, said the hacker in the post.
Majumdar contacted the hackers on Telegram
Majumdar tried to contact the hackers on the Telegram ID provided in the post. According to the chat screenshots posted by Majumdar, the hackers claimed that they have details of over 40 million users but want to sell details of only 7 lakh users at the moment. They may sell the whole dump in the future at a higher price. Allegedly, they have some plans with the data dump they have, the chat records revealed.
I was able to have a conversation with them on telegram and what they shared blew my mind :— Sourajeet Majumder (@TechCrucio) April 8, 2021
According to them, they exploited a vulnerability in @moneycontrolcom and was able to access 40M+ records but are willing to sell only 700K+ records since they have other plans.
He further said that the hackers shared information of 40 users with him. When he tried to verify the details, he found out that the majority of them were, in fact, working, and he was able to login with the credentials. He added, “Among the credentials they shared, there were also @moneycontrolcom accounts which had their email address verified which hints that they are not dummy accounts made by the sellers (since only the owner of the email ID can verify the account).”
On further discussion with the hackers, they revealed that the database would be sold to five buyers at $350 each. If a single person wants to take control of the database, they will charge up to €650. The hackers further claimed that the vulnerability they exploited to extract the data has now been fixed.
They added that they will be selling the database to only 5 different buyers for 350$ each. However if somebody wants to have the data all alone, then the price will go up to €650. They also said the vulnerability that they had exploited to get these data has now been fixed.— Sourajeet Majumder (@TechCrucio) April 8, 2021
Reverse searching numbers available in sample
Majumdar and we both tried to match the numbers available in the sample provided by the hackers. The majority of the numbers matched with the names mentioned in the sample accounts the hackers provided, making their claims authentic.
Pandurang Nayak, Chief Technology Officer, Digital, Network 18, replied to the thread on April 9 and said that prima facie, the data appears to be an old set. He said, “Appreciate that this has been brought to our attention. Prima facie, this appears to be an old data set. Information pertaining to current users is absolutely safe. The organisation takes its responsibility towards information security very seriously.”
The best systems and protocols are in place to prevent data breaches. We review our systems periodically and constantly work to improve the security of our information based on feedback received. (2/2)— Pandurang Nayak (@pandurang) April 9, 2021
He firther added that the company had protocols in place to prevent data breaches, he said, “The best systems and protocols are in place to prevent data breaches. We review our systems periodically and constantly work to improve the security of our information based on feedback received.” Nayak did not openly accepted that a data breach had happened.
MoneyControl started resetting users’ passwords
On April 10, a user replied to Majumdar’s thread on Twitter and said that MoneyControl had reset his password, claiming it was not in compliance with their latest password policy. The email contained the username and new auto-generated password. Now, as claimed by the CTO that the user information of the new users is safe, it makes one wonder what led them to reset the passwords of the users.
😱 OMG that’s why they’re sending mail like this pic.twitter.com/bT4GrzOHfQ— Furman (@furmanism) April 10, 2021
To Nayak’s reply, Majumdar asked him if he acknowledges that there was a breach. He asked what criteria Nayak used to reach the conclusion that the data is old. He also questioned if the accounts were created before they updated the password policy, how the company is going to ensure the security of the users. Nayak did not reply by the time this report was published. We also tried reaching him, but there was no reply so far.
Also being a user of moneycontrol’s service I would like to know what steps will be taken to prevent this data set from being sold on hacking forums ?— Sourajeet Majumder (@TechCrucio) April 9, 2021
Also will the affected users be informed, so that they can change their passwords asap to lower the impact of breach ?
OpIndia reached out to Sourajeet Majumdar
While discussing the breach with OpIndia, Sourajeet Majumdar said that he disagrees with CTO’s statement. He said, “Well though the CTO mentioned in his tweet that the data is old, however, I disagree with his statement. I don’t think, so people’s address, name, DOB and phone number change very often and thus, calling it old data is not justified. Other than that, the login credentials which the hackers provided as a sample are valid and working, and I was able to login to other’s Moneycontrol accounts; thus, this is definitely not old data.”
He further added that data as such are goldmines for Cyber Criminals. “The data, which has been leaked in this incident, is enough to track down a person. Criminals can thus run targeted “Phishing Campaigns” or other “Social Engineering” attacks against users, which might prove to be fatal. Also, since, in this case, even login credentials have been breached, somebody who has access to these credentials can easily log in to the user’s account and make any changes, and nothing can be more worse than this,” he said.
An old data breach can leave users vulnerable
It is not just MoneyControl that tried to wash their hands from the alleged data breach by stating the database looks old. A few days back, when over 500 million user accounts of Facebook were leaked, the tech giant also made similar claims. However, both Facebook and MoneyControl failed to acknowledge that even if the data is old, it can be used by hackers to cause substantial damage.
According to the hacker, the database contains names, phone numbers, email ID and other information. The said information can be used to send spam emails and messages that can lead to financial loss. Even someone is an informed user who does not click on links in spam emails or messages, such messages are no less than a nuisance.