10 crore MobiKwik users KYC data breach over 1 month
The hacker in a post on Raid Forum claimed that he has deleted the data backup of over 10 crores MobiKwik users. The hacker with the name of "ninja_storm" has put up an auction of about 8.2TB of data of MobiKwik users for sale at a price of 1.5 Bitcoin (approx. 65 lakh) on 27 March 2021.
The most concerning part of the whole controversy is that the hacker appears to have got access to personal data of around 10 crores Mobikwik's users. According to cyber security researcher Rajshekhar Rajaharia, the hacker got access to the data around 21 January 2021. Data in the breach consists of email, phone numbers, addresses, passwords, phone manufacturer name, IP addresses, GPS location and much other critical information. Among 10 crore users, that database consists of bank card details of around 4 crore users, KYC user data, Aadhar Card, PAN cards, Picture proofs, Passport, Driving licenses all the necessary government documents that are required for KYC verifications.
This breach occurs in a series of event:
February 8, 2021:
A hacker with the name "ninja_storm" joined on Raid Forum.
February 24, 2021:
User with the username "ninja_storm" posted for the first time with thread name "BIG DATA LEAK of one of top 3 financial services company from India - 7TB". His DM is filled with the replies of some buyers till then hacked didn't reveal the name of the company. When more buyers started for the proof of data. He said in a reply to the same thread - He has sent the initial proof to four people already. He also said "Will setup discord or telegram or jabber and update the thread. We are moving the data to better and more secure server will be done in 24 hrs @ 60-100 MBPS." Later that day discord server link in posted on the thread.
February 25, 2021:
Hacker posted that "He lost the access to the initial server while transporting the data to other server and there is no real data left with him.
February 26, 2021:
Again!! 11 Crore Indian Cardholder's Cards Data Including personal details & KYC soft copy(PAN, Aadhar etc) allegedly leaked from a company's Server in India. 6 TB KYC Data and 350GB compressed mysql dump.@RBI @IndianCERT #InfoSec #dataprotection #Finance pic.twitter.com/yjc7davH3k
— Rajshekhar Rajaharia (@rajaharia) February 26, 2021
On the very next day, Cybersecurity researcher Rajshekhar Rajaharia tweets about the data breach for the first time. But till now the company name is still not revealed.
February 27, 2021:
Rajaharia revelaed the name of the company, i.e. MobiKwik. As hacker did not want to reveal the name of the company becuase he wanted to make some money out of it. When he created the group on dicord and shared the snippet of the DB structure over there, Cyber Security researched guessed it belonged to MobiKwik.
March 4, 2021:
A media-crazed so-called security researcher has repeatedly over the last week presented concocted files wasting precious time of our organization while desperately trying to grab media attention.We thoroughly investigated his allegations and did not find any security lapses. 1/n
— MobiKwik (@MobiKwik) March 4, 2021
MobiKwik releases its first official statement regarding the data breach and claimed that "a media-crazed-so-called-security researcher" reported the flase case of Cybersecurity to grab some attention. Company is going to take some strict action againt him via their leagal team on the Cybersecurity researcher.
March 6, 2021:
Hacker confirms that leaked data belongs to MobiKwik and once again claims to have "lost the data".
March 27, 2021:
On the Raid, Forum hacker claims to have recovered all data and informed that it was up for sale for 1.5 BTC which is around Rs. 65 Lakh. This data he used to claim is of no use because user needs OTP verification to log in or carrying out the transaction.
Several users claimed MobiKwik for the data breach on Twitter and after finding their details on the Onion search engine few people shared screenshots of leaked personal information on Twitter.
March 29, 2021:
Hacker offered to delete all the data only if MobiKwik accepted the data breach and publicly accept that.
After all the allegations, MobiKwik decided to conduct a forensic data security audit from a third party. Hacker posted another message on Raid Forum claiming that he has deleted all the data.
This type of breaches is sure going to defame the reputation of MobiKwik ahead of its IPO round. This is very critical information that can be used against some personal, so companies should take some tight measures if some breaches happen.