MobiKwik, the popular Indian mobile payments service suffered a data breach in which 8.2 terabytes (TB) of data of its millions of users began circulating on the dark web.
The leaked data includes sensitive personal information such as customer names, hashed passwords, email addresses, residential addresses, GPS locations, list of installed apps, partially-masked credit card numbers, connected bank accounts and associated account numbers, and know your customer (KYC) documents of 3.5 million users.
The leak also revealed that MobiKwik does not delete the card information from its servers even after a user has removed them. It is considered to be a breach of government regulations.
According to new guidelines issued by the Reserve Bank of India, the online merchants, e-commerce websites, and payment aggregators are prohibited from storing card details of a customer online. The rules will come into effect starting July 2021.
As of July 2020, MobiKwik has 120 million users and 3 million retailers across the country.
The data leak site, which is accessible via Tor browser and boasts of 36,099,759 records, came online when the company denied the incident on March 4 following a report by an independent security researcher Rajshekhar Rajaharia.
Following his report, MobiKwik tweeted that the security researcher has presented fabricated files in order to attain media attention and that they have investigated his allegations and did not find any security lapses.
Multiple users have confirmed of finding their personal details in the “MobiKwik India data leak” site.
According to sources, the compromise was originally advertised in a database leaking forum on February 24, with a hacker claiming access to 6TB data from an unnamed Paytm competitor.
So, after Rajaharia disclosed the leak, the company’s identity was revealed, and warned MobiKwik over email, the firm simultaneously took measures to stop the hacker from downloading the data.
The hacker posted in a forum that they had lost access to main company servers and was not able to download anything new.
In a separate listing on March 27, the hacker claimed that they have recovered all data and it’s up for sale, offering up what is alleged to be 8TB of their data for 1.5 bitcoin ($85,684.65).
Later, plans to put the data on sale appear to have been suspended until further notice.
It is not known how the hacker attained unauthorized access to MobiKwik’s servers.
Image Credits : VCCircle