MobiKwik 10 crore users data leaked on dark web, company denies data breach
The data of nearly 10 crore users for mobile wallet and payments app MobiKwik is reported to be on sale on a hacker forum on the dark web. MobiKwik has denied any data breach.
Data from about 110 million users of mobile wallet and payment app MobiKwik are reported for sale on the Hacker Forum on the Dark Web. The dataset is about 8.2TB in size and contains KYC documents, Aadhaar card, credit card details, mobile phone number details associated with Mobikwik wallet, etc.
The claim was first made in early March by independent security researcher Rajasekhar Rajaharia, who has also previously highlighted other data leaks. However, MobiKwik has categorically denied all claims of any data leaks and has extracted a detailed blog statement.
However, Rajahria has received support from others in cybersecurity, including French cyber security expert Elliot Anderson aka Robert Baptiste, who posted on Twitter stating the leaks that appear to be genuine. Australian web security researcher Troy Hunt, creator of ‘een heavybpowered’, also supported Rajahria’s findings.
It appears that the data is available for searching through links using the Tor browser. Many users also took to Twitter to share how they got their information and personal information, including credit and debit card details, through this link.
The link is showing KYC or Know Your Customer details for many users, and information such as Aadhaar card, signature etc. can be viewed. However, search on the link is currently disabled. Rajaharia said that they have masked a lot of data so that the threat actors cannot misuse this data and said that they would have to reduce the functionality of the search as bots were being used to scan the data.
Meanwhile, in a blog post, the company has said that the data has not been leaked. In a detailed blog post, the company wrote that “takes its data security very seriously, and fully complies with applicable data protection laws.” It also stated that “this is a long-running bounty program, where ethical hackers report security issues that are fixed immediately.”
Regarding the data leak, the company said that it is investigating, “It is entirely possible that any user can upload their information across multiple platforms. Therefore, it is incorrect to suggest that the data available on Darkweb is accessed from Mobikwik or any identified source. ”
The issue was first reported in early March. At the time, Mobikwik dismissed all claims in a series of tweets on Twitter, saying they would file legal action against Rajahria, calling them ‘media-craze’ researchers.
The company also reiterated that “with the help of external security experts, thorough investigation and no evidence of breach was found”. Mobikwik has said that it is “working closely with expected authorities,” adding to it “the belief that security protocols for storing sensitive data are robust and have not been breached.” It will also get a third party to conduct forensic data security audit as a precaution.
This statement also seeks to reassure users that all their data is secure and that all financially sensitive data is encrypted.
“No misuse of your wallet balance, credit card or debit card is possible without a one-time-password (OTP) that only comes on your mobile number. We strongly recommend that you do not try to open any dark / anonymous links as they may endanger your own cyber security, ”the company said.