Popular Indian mobile payments service MobiKwik on Monday
came under fire after 8.2 terabytes (TB) of data belonging to
millions of its users began circulating on the dark web in the
aftermath of a major data breach that came to light earlier this
month.
The leaked data includes sensitive personal information such
as:
- customer names,
- hashed passwords,
- email addresses,
- residential addresses,
- GPS locations,
- list of installed apps,
- partially-masked credit card numbers,
- connected bank accounts and associated account numbers,
- and even know your customer (KYC) documents of 3.5 million
users.
Even worse, the leak also shows that MobiKwik does not delete the card information[1] from its servers even
after a user has removed them, in what’s likely a breach of
government regulations.
New guidelines issued by India’s apex banking institution, the
Reserve Bank of India, prohibit[2]
online merchants, e-commerce websites, and payment aggregators from
storing card details of a customer online. The rules are set to
come into effect starting July 2021.
As of July 2020, MobiKwik serves[3]
120 million users and 3 million retailers across the country.
The data leak site, which is accessible via Tor browser and
boasts of 36,099,759 records, came online after the digital wallet
company vehemently denied the incident on March 4 following a
report[4]
by an independent security researcher Rajshekhar Rajaharia.
“A media-crazed so-called security researcher has repeatedly
over the last week presented concocted files wasting precious time
of our organization while desperately trying to grab media
attention,” MobiKwik tweeted[5]. “We thoroughly
investigated his allegations and did not find any security lapses.
The various sample text files that he has been showcasing prove
nothing. Anyone can create such text files to falsely harass any
company.”
However, multiple users[6]
have confirmed to the contrary, finding their personal details in
the “MobiKwik India data leak” site, lending credence to the
breach.
“Never *ever* behave like @MobiKwik has in this thread from 25
days ago,” Troy Hunt, security researcher and creator of breach
notification tool Have I Been Pwned, said[7]
in a tweet, calling out the company MobiKwik’s handling of the
situation.
According to sources close to the incident, the compromise was
originally advertised in a database leaking forum on February 24,
with a hacker claiming access to 6TB data from an unnamed Paytm
competitor.
Interestingly, it appears that after Rajaharia disclosed[8]
the leak, outed the company’s identity, and warned MobiKwik over
email, the firm simultaneously took measures to stop the hacker
from downloading the data.
“We […] lost access to main company servers, not surprising
though… Cant download anything new,” the hacker said in a forum
post a day later, adding that partial download might have been
corrupted.
“We never wanted any money anyway, so not sad. But one of the
biggest hacks of KYC ever shit!!! OR SO WE THOUGHT. 🙁 So, I guess
I grow old saying I used to hack and shit. Rather than actually
hacking and shit. Exciting 1 month though!!!,” the hacker said,
implying that the hack dated back to January, echoing Rajaharia’s
tweets from March 4.
But a month later, in a separate listing on March 27, the hacker
claimed, “we recovered all data and it’s up for sale,” offering up
what is alleged to be 8TB of their data for 1.5 bitcoin
($85,684.65).
However, in an interesting turn of events, plans to put the data
on sale appear to have been suspended until further notice. “Only
sell this to company after due verification that we are dealing
with company,” the hacker said in an update, implying an extortion
scheme.
It’s not immediately clear how the threat actor managed to gain
unauthorized access to MobiKwik’s servers, but the hacker said,
“it’ll be embarrassing for the company. story for someother time..”
(sic)
The Hacker News has reached out to MobiKwik, and we will update
the story if we receive a response.