A dataset of around 10 crore MobiKwik users, containing information usually submitted during account verification or KYC validation like scanned images of Aadhaar card, images of passport, phone numbers, emails, credit card details and their location, is on sale on the dark web, two security researchers have claimed.
Rajasthan-based internet security researcher Rajshekhar Rajharia had first spotted the leaked dataset on February 25, however, the issue gained prominence after France-based security researcher Elliot Alderson confirmed the veracity of the database on Monday.
Entrackr independently accessed the leaked dataset and verified that it returned with results of a person’s name, email, masked card details, and location among other things. Two people also shared with Entrackr screenshots of their details present in the database. Several users on Twitter have also claimed to have found their details in the leaked dataset.
Srikanth L of CashlessConsumer, a group that works on digital payments policy advocacy, told Entrackr that he was able to verify his leaked data from the search site put up by the hacker.
When asked why the leaked dataset was being attributed to MobiKwik, Rajharia said that there was enough evidence to suggest that it belonged to the company. “The database had details about one of my cards which I had only saved on MobiKwik, and nowhere else,” he said.
“For people who had not added an email while signing up, their corresponding email in the leaked database was phonenumber@mobikwik.com, where the phone number was their mobile number. The account creation date mentioned on the leaked dataset is the same as the date when a lot of the people had created their MobiKwik accounts,” Rajharia added.
The dataset is still available for sale on the dark web for 1.5 bitcoin (worth around Rs 64 lakh), Rajharia said.
Responding to the growing voices of concern from its users, MobiKwik said it was incorrect to attribute the leaked database to the company.
“Some users have reported that their data is visible on the darkweb. While we are investigating this, it is entirely possible that any user could have uploaded her/ his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the darkweb has been accessed from MobiKwik or any identified source,” Bipin Preet Singh, MobiKwik’s founder and CEO said in a statement.
Entrackr has reached out to MobiKwik and CERT-In for more details.
This entire incident has in many ways come at a little unfavourable time for MobiKwik as it is in its pre-IPO phase, laying the groundwork and raising funds in what could be its last round before going IPO.
The reason why perhaps it first denied the incident outright when the news of the claimed breach first broke. In a statement released earlier in March, the company had said that a “media-crazed so-called security researcher repeatedly over the last week presented concocted files wasting precious time of our organization while desperately trying to grab media attention”.
And it appears that its latest statement has not helped its cause much either with many voices now saying that it is perhaps not wise to shift the blame to your users.
“Denial and putting the blame back on users are possibly the worst takes that [MobiKwik] could have gone with in response,” InMobi’s Navin Madhavan said via a tweet.
In his latest statement, Singh said that the company undertook a thorough investigation into the matter with the help of external security experts and did not find any evidence of a breach.
“Considering the seriousness of the allegations, and by way of abundant caution, it will get a third party to conduct a forensic data security audit,” he added.
“No misuse of your wallet balance, credit card or debit card is possible without the one-time-password (OTP) that only comes to your mobile number. We strongly recommend that you do not try to open any darkweb/anonymous links as they could jeopardize your own cyber safety,” Singh said.