Sensitive data belonging to millions of cardholders and users stored on MobiKwik’s servers has been compromised and put up for sale online, according to several security researchers. The news of a massive data breach does not portend well for the digital payments company, which is in the midst of preparing itself for an initial public offering during the second half of this year.
The data breach was first reported by cyber security researcher Rajshekhar Rajaharia back in February this year. On Monday, French security researcher Robert Baptistse (who goes by the pseudonym Elliot Anderson) said on Twitter that the breach was possibly one of the largest data leaks of Know-Your-Customer (KYC) information in history. Baptistse’ tweet has since been pulled down by Twitter for violating its rules.
The data dump, around 8.2 terabytes worth, allegedly belongs to users of the payments application and includes their sensitive financial and personal information. It includes:
- Leaked database contains 8.2 TB worth of data, 36 million files containing KYC information belonging t0 3.5 million people
- Around 7.5 TB worth of KYC data pertaining to over 3 million merchants on MobiKwik’s network.
- Includes a total of 350 GB of MySQL dumps that include 500 databases
- Contains 99 million users’ phone numbers, emails, hashed passwords, addresses, bank accounts and card details
- Over 40 million card details, up to 10 digits, have also been leaked with month, year and card hash data
Massive data dump on sale
According to screenshots of the leak seen by MediaNama, the data dump includes details of the customers’ pictures, name, credit and debit card details, email address, mobile number, Aadhaar numbers, bank statements, Permanent Account Number, among other information.
Over the weekend, a website on the darkweb went online revealing details of the data dump. The website allows users to check if their data, stored by MobiKwik, was leaked as part of the data dump. The website, which is also available on the open web, allows users to query the database and also displays KYC information. Additionally, alongside the results to the query, the website also displays photographs of Aadhaar cards, PAN cards and other official documents which can be used to view the details of other users.
MediaNama journalists also queried the database for their own information using their names, email addresses or phone numbers. They found that the data on the website, including card and bank account information, was accurate.
Screenshots between the hacker and users on messaging platform Discord, reveal that the hacker had partially leaked parts of the data dump online in order to entice bidding from other hackers or hacking groups. The hacker also said that they are looking to sell the information back to the company as well. According to the website the hacker is willing to sell the entire dataset for 1.5 bitcoins or $84,000.
We all are using Credit Debit cards online on daily basis. Companies should take responsablity of users data strongly. there should be a data leak disclosure policy too. pic.twitter.com/Jt3KkFs0zZ
— Rajshekhar Rajaharia (@rajaharia) February 26, 2021
According to Kiran Jonnalagadda, co-founder and chief technology officer, HasGeek the data leak is genuine and is from MobiKwik’s servers. His analysis found:
- The date that he joined MobiKwik matches data in the dump
- Jonnalagadda never shared his name with MobiKwik, and it’s missing in both the data dump and on the company’s website in the profile page.
- Passwords are hashed using a bcrypt, their usage appears to be non-standard, so one cannot verify if the hash matches their password
- MobiKwik app has access to the list of all apps on your phone, and your GPS coordinates
The MobiKwik leak is real. Here is what the dump had for me. One of those credit cards was valid until a couple weeks ago, and I don't recall authorising MobiKwik to save it. Companies that lie like 👇 ought to be taken to the cleaners. https://t.co/sptyC1Jz8f pic.twitter.com/c4Uu25OviP
— Kiran Jonnalagadda (@jackerhack) March 29, 2021
The last time this amount of sensitive personal information was made public online was between 2013 and 2015 when various government departments began publishing KYC information along Aadhaar data (non-biometric).
Mobikwik continues to deny data leak
When Rajaharia first reported the incident in February, MediaNama reached out to MobiKwik, which had denied the claims. Since then, the news of the data leak died down, until recently when the hacker group created the website to showcase the data leak.
Sadly, Rajaharia has been on the receiving end of censorship and legal threats ever since he reported the leak. According to screenshots of multiple email exchanges seen by MediaNama, Rajaharia’s tweets and posts on social media platforms like Facebook and LinkedIn have been censored. In March, MobiKwik sent a request sent to Twitter flagging four of Rajaharia’s tweets for allegedly violating Indian laws, the screenshots revealed.
In a March 30, 2021 blogpost, MobiKwik said that all of its users’ accounts and balances were completely safe and that all financially sensitive data is stored in encrypted form in their databases. A spokesperson for the company told MediaNama, via email, that as a regulated entity it takes data security very seriously and is fully compliant with applicable data security laws.
“As soon this matter was reported, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach. The company is closely working with requisite authorities on this matter, and considering the seriousness of the allegations will get a third party to conduct a forensic data security audit.” — MobiKwik Spokesperson
In a statement on Twitter, Bipin Preet Singh, co-founder and chief executive officer of MobiKwik said that it is entirely possible that users could have uploaded their information on multiple platforms. Therefore, it is “incorrect to suggest that the data available on the darkweb has been accessed from MobiKwik or any identified source.”
When asked about how the data theft could have taken place, Rajaharia told MediaNama that the security keys for a Amazon Web Services database used by the company is most likely to have been compromised.
“From the data leak, we found that the hacker had access to full security credentials of the company’s servers since January this year. When the leak was discovered, I contacted the hacker who still had live access to the servers. After that I informed the company and within 5-10 minutes, the hacker said they lost their access. But still as of this point, the company’s website is still broken as there are many live Application Programming Interface (API) links that are leaking customer information”—Rajshekhar Rajaharia, Independent Cyber Security Researcher
Growing cyber incidents and data leaks
Cyber-crimes have been on the rise ever since the COVID-19 pandemic began early this year, due to an increased reliance on digital tools and the internet. According to a study by software firm Micro Focus, Indian organisations have experienced a 58% increase in cyber-security challenges over the last few months, while there was 51% increase in the challenge to investigate or remediate incidents. Around 98% of Indian organisations are short-staffed when it comes to security, the study said.
In January, millions of customer records and sensitive card data belonging to millions of people was leaked on the dark web due to a security compromise at a server used by Juspay, a major payment gateway provider in the country. This was reported to be the largest data breach in the country in history at the time.
While incidents of data breaches and personal information being sold on the dark web are increasing year-on-year, the Indian government is yet to introduce a personal data protection law in Parliament. Recently, the government said it is working on a new national cyber security strategy. According to the Reserve Bank of India’s March 2020 guidelines payment aggregators and payment gateways have to immediately report any data breaches to the central bank and the Indian Computer Emergency Response Team or CERT-IN. Companies also need to submit quarterly internal and annual external audit reports and bi-annual vulnerability assessments to the RBI.
MediaNama reached out to the CERT-IN. Their responses are awaited.Also read
- MobiKwik raises $7.2 million in pre-IPO funding round
- 2020 was a good year for cyber criminals, a bad one for financial and payments security
- MobiKwik’s revenues up 134% in FY20 on the back of consumer payments and fintech lending