Mobikwik under scrutiny as data of around 11 crore users is up for sale.


Representative image.


Mobikwik data leak, if found to be true, will be the largest KYC data breach, with around 11 crore users. It is being claimed as the "biggest data leak in Indian history." The KYC details of Mobikwik - PAN card, Aadhaar card, debit/credit cards, phone numbers, and other personal details - have been leaked online. It is up for sale on the dark web. In February, independent security researcher Rajshekhar Rajaharia had claimed that the personal data of about 11 crore Mobikwik users had been compromised. But this claim was completely denied by the company back then.

Renowned French cybersecurity expert Elliot Anderson (also known as Robert Baptiste) has supported Rajaharia's claim. Many other independent cybersecurity researchers have flagged this breach. The volume of the data leak amounts to 8.2 TB of data.

According to Rajaharia, the data were leaked from the main server of Mobikwik by Jordan Daven - a hacker - on dark web forums on January 20, 2021. Rajaharia said, "Regular keys and passwords should have been changed and logs should have been monitored to avoid this kind of security compromise."

Several users have reportedly recognized their details on the dark web link that is being circulated. They've also posted screenshots of the data that is up for sale. Mobikwik continues to deny its role in the leak. It has called out the researchers as "media-crazed" and alleges them of presenting "concocted files" as evidence. According to a Mobikwik spokesperson, "We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure."

Independent researcher, Avinash Jain has also verified the leak. As per Jain, the Personal User Identification can be assessed in plain text and it is insecurely stored in Mobikwik's servers. Jain stated, "It seems the attacker got hold of their cloud infrastructure and was able to access data stores where these data were stored." Jain further said that data breaches are on the rise. Indian startups need to take user data security seriously and treat it as an utmost priority.

A TechNadu report reveals that the seller has set up a dark web portal "where one can search by phone number or email ID and get the specific results out of a total 8.2 TB of data." Reports state that a seller who has set the data on sale wants 1.5 Bitcoin (around Rs. 63 lakh) for deleting the leaked data. The user data is as recent as January 2021.

Download Report


2 views0 comments