Saturday, June 12, 2021
Home News Reports Moneycontrol.com data breach: Personal details of over seven lakh users up for sale on...

Moneycontrol.com data breach: Personal details of over seven lakh users up for sale on Hackers forums – Here is what we know so far

According to the hacker who has posted the dump on the hackers' forum, the database contains 7,73,000 records with personal data of the users

On April 8, Sourajeet Majumdar, an independent security researcher, reported that personal data of over 7 lakh registered users of moneycontrol.com is available on the hackers’ forum for just $350. OpIndia investigated the claims, and here is what we have found so far.

According to the hacker who has posted the dump on the hackers’ forum, the database contains 7,73,000 records with personal data of the users. The hackers claimed that the breach took place around six to seven months ago.

Screenshot of post by hacker

The database contains email, dehashed password, country, phone number, date of birth, gender, address, city, state and more. The majority of the users in the list are from India, said the hacker in the post.

Screenshot of post by hacker

Majumdar contacted the hackers on Telegram

Majumdar tried to contact the hackers on the Telegram ID provided in the post. According to the chat screenshots posted by Majumdar, the hackers claimed that they have details of over 40 million users but want to sell details of only 7 lakh users at the moment. They may sell the whole dump in the future at a higher price. Allegedly, they have some plans with the data dump they have, the chat records revealed.

He further said that the hackers shared information of 40 users with him. When he tried to verify the details, he found out that the majority of them were, in fact, working, and he was able to login with the credentials. He added, “Among the credentials they shared, there were also @moneycontrolcom accounts which had their email address verified which hints that they are not dummy accounts made by the sellers (since only the owner of the email ID can verify the account).”

On further discussion with the hackers, they revealed that the database would be sold to five buyers at $350 each. If a single person wants to take control of the database, they will charge up to €650. The hackers further claimed that the vulnerability they exploited to extract the data has now been fixed.

Reverse searching numbers available in sample

Majumdar and we both tried to match the numbers available in the sample provided by the hackers. The majority of the numbers matched with the names mentioned in the sample accounts the hackers provided, making their claims authentic.

MoneyControl’s reply

Pandurang Nayak, Chief Technology Officer, Digital, Network 18, replied to the thread on April 9 and said that prima facie, the data appears to be an old set. He said, “Appreciate that this has been brought to our attention. Prima facie, this appears to be an old data set. Information pertaining to current users is absolutely safe. The organisation takes its responsibility towards information security very seriously.”

He firther added that the company had protocols in place to prevent data breaches, he said, “The best systems and protocols are in place to prevent data breaches. We review our systems periodically and constantly work to improve the security of our information based on feedback received.” Nayak did not openly accepted that a data breach had happened.

MoneyControl started resetting users’ passwords

On April 10, a user replied to Majumdar’s thread on Twitter and said that MoneyControl had reset his password, claiming it was not in compliance with their latest password policy. The email contained the username and new auto-generated password. Now, as claimed by the CTO that the user information of the new users is safe, it makes one wonder what led them to reset the passwords of the users.

To Nayak’s reply, Majumdar asked him if he acknowledges that there was a breach. He asked what criteria Nayak used to reach the conclusion that the data is old. He also questioned if the accounts were created before they updated the password policy, how the company is going to ensure the security of the users. Nayak did not reply by the time this report was published. We also tried reaching him, but there was no reply so far.

OpIndia reached out to Sourajeet Majumdar

While discussing the breach with OpIndia, Sourajeet Majumdar said that he disagrees with CTO’s statement. He said, “Well though the CTO mentioned in his tweet that the data is old, however, I disagree with his statement. I don’t think, so people’s address, name, DOB and phone number change very often and thus, calling it old data is not justified. Other than that, the login credentials which the hackers provided as a sample are valid and working, and I was able to login to other’s Moneycontrol accounts; thus, this is definitely not old data.”

He further added that data as such are goldmines for Cyber Criminals. “The data, which has been leaked in this incident, is enough to track down a person. Criminals can thus run targeted “Phishing Campaigns” or other “Social Engineering” attacks against users, which might prove to be fatal. Also, since, in this case, even login credentials have been breached, somebody who has access to these credentials can easily log in to the user’s account and make any changes, and nothing can be more worse than this,” he said.

An old data breach can leave users vulnerable

It is not just MoneyControl that tried to wash their hands from the alleged data breach by stating the database looks old. A few days back, when over 500 million user accounts of Facebook were leaked, the tech giant also made similar claims. However, both Facebook and MoneyControl failed to acknowledge that even if the data is old, it can be used by hackers to cause substantial damage.

According to the hacker, the database contains names, phone numbers, email ID and other information. The said information can be used to send spam emails and messages that can lead to financial loss. Even someone is an informed user who does not click on links in spam emails or messages, such messages are no less than a nuisance.

  Support Us  

Whether NDTV or 'The Wire', they never have to worry about funds. In name of saving democracy, they get money from various sources. We need your support to fight them. Please contribute whatever you can afford

OpIndia Staffhttps://www.opindia.com
Staff reporter at OpIndia

Related Articles

Trending now

Wikipedia dismisses Love Jihad as a conspiracy theory by Hindus, but claims reverse Love Jihad against Muslims is real

Wikipedia labels Love Jihad as a fabricated notion even as thousands of non-Muslim girls continue to be afflicted by the menace

‘Corona Mata’ Temple in UP marks a continuing Hindu tradition of worshipping Goddesses for protection against diseases: All you need to know

ANI reported on Saturday that a 'Corona Mata' Temple has been established at Pratapgarh district in Uttar Pradesh.

Chinese spy arrested in Malda confesses to smuggling 1300 Indian Sim cards to China, used for hacking and financial fraud

The Chinese spy was arrested by the BSF when he was trying to enter the country through the Indo-Bangla border in Malda district on Thursday

Why so-called ‘fact-checkers’ are a greater evil than random misinformation that they claim to fight

In his speech, the PM also took veiled jibes at a few CMs as well as loudmouthed opposition politicians with no skin in the game.

How propaganda media and cartoonist Manjul are milking a Twitter email to the hilt

Anti-BJP cartoonist Manjul took to Twitter to insinuate that the Modi government has been trying to silence his freedom of expression.

Leaked Clubhouse chats: Here is what senior Congress leader Digvijay Singh promised to a Pakistan-origin journalist about Kashmir

During conversation with a Pakistani-origin journalist on Clubhouse app, Congress leader Digvijay Singh promised to reinstate Article 370

Recently Popular

TV actor Sushant Singh’s troll account suspended by Twitter, restored later

Team Saath Official was the go-to Twitter account for left-liberals and rabid Islamists to silence nationalist voices in the country.

Leaked Clubhouse chats: Here is what senior Congress leader Digvijay Singh promised to a Pakistan-origin journalist about Kashmir

During conversation with a Pakistani-origin journalist on Clubhouse app, Congress leader Digvijay Singh promised to reinstate Article 370

Temple vandalised, journalist attacked: Communal violence grips Tiljala, Kolkata, BJP leaders, Bengal Governor share details

BJP worker, Devdutta Maji, informed that a Shani Kali temple was vandalised by Islamists in broad daylight in Tiljala on Tuesday.

Kerala: Missing for 11 years, Sajitha found living next door with her lover Rehman in a locked room

For 11 years, Kerala woman Sajitha lived just 500 meters away from her parent's house in her lover's house without the knowledge of anyone

India not to allow return of four Kerala-based women who had joined Islamic State, at least 3 of them are converts: Details

Indian Govt is unlikely to allow four women from Kerala who had left to join Islamic State in Khorasan Province (ISKP).

‘Scientists were threatened Anthony Fauci and his gang will destroy careers and reputation’: Indian experts make explosive claims after emails become public

Anthony Fauci has found himself in the eye of the storm after thousands of his emails were revealed to the world.
- Advertisement -

 

Connect with us

255,564FansLike
552,502FollowersFollow
24,300SubscribersSubscribe