Another day, another security breach at an Indian company. On Sunday, stockbroking app Upstox revealed that it suffered a data breach which compromised contact details and know-your-customer details of its users.
In an announcement post, the Tiger Global-backed company said it received emails claiming unauthorised access into its database, following which it restricted access to the impacted database, and added security enhancements at all of its third-party data warehouses.
“As a matter of abundant caution, we have also initiated a secure password reset via OTP,” Upstox said in its announcement and assured that users’ funds and securities were safe.
However, Upstox did not specify how many of its users’ data was compromised, and the time at which the company ascertained that its database was compromised.
Rajasthan-based security researcher Rajshekhar Rajaharia who tweeted about the breach on Sunday after the company’s announcement told Entrackr that the breached database includes user data like bank account details, mobile numbers, pictures of users’ signature, Aadhaar, PAN and passport among others.
According to Rajaharia, Upstox’s Amazon Web Service key was compromised, which is how the hackers gained access to its database. This is the same vulnerability that had reportedly been exploited in the alleged MobiKwik data breach, Rajashekhar said.
Rajaharia said that the compromised dataset included sensitive data of 2.8 million Upstox users, including 56 million know-your-customer or KYC files.
“The hackers have released a sample from the dataset that includes contact details of 1 lakh Upstox users and 2,600 KYC files. This includes data like users’ names, emails, bank account numbers, mobile numbers, pictures of their signature, Aadhaar, PAN, and passport,” Rajaharia told Entrackr.
Rajaharia said that the database was breached by a hacker group called ShinyHunters. This group has been behind several high profile data breaches of Indian companies including the alleged breaches at Juspay, and BigBasket.
Our email queries on whether the company’s announcement was related to the breach highlighted by Rajaharia remained unanswered.
A source aware of the development confirmed to Entrackr that the company’s announcement post was related to the breach that Rajaharia had tweeted about.
While the company said in its post that it has informed relevant agencies about the breach, it isn’t clear when exactly it gained knowledge of the incident.
However, an industry source close to the development told Entrackr that Upstox had alerted India’s Computer Emergency Response Team about the breach on March 31. This means that the company had knowledge about the breach for about ten days before it alerted its users.
An Upstox spokesperson neither confirmed nor denied the volume of the breached data as claimed by Rajaharia and whether they intimated CERT-In on March 31.
We have reached out to CERT-In for more details.