It has already been termed as the largest KYC leak ever. Independent cyber security researchers have claimed that a database containing KYC details of nearly 3.5 million users of Indian payment app MobiKwik, in addition to personal and payments data of about 99,224,559 users, is up for sale on the Dark Web.
First tweeted by the independent cyber security researcher, Rajshekhar Rajaharia, and then confirmed by the French researcher Elliot Alderson, (who termed it the largest KYC leak), the alleged breach is pegged at 8.2TB data containing users’ phone numbers, emails, passwords, addresses, bank accounts and Aadhaar card details.
Mobikwik has denied the breach.
But a link from the dark web is available online, and several users on twitter have claimed seeing their personal details in it.
Some of then even posted screenshots of the alleged MobiKwik user data, which was reportedly up for sale for 1.5 bitcoin or about $86,000 (Rs 69 lakh) on a popular hacker forum.
MobiKwik denies breach, says will take legal action against researcher
11 Crore Indian CardHolders data alleged leaked from @MobiKwik Server, Hacker claimed. It Seems hacker still have their data. Backup was alleged taken on 20Jan 2021. He claim to have mobikwik access since last 30 days. @RBI @IndianCERT Please look into this matter.#InfoSec #GDPR pic.twitter.com/tBS3U6OqhwMarch 4, 2021
“A media-crazed so-called security researcher has repeatedly over the last week presented concocted files wasting precious time of our organization while desperately trying to grab media attention. We thoroughly investigated his allegations and did not find any security lapses,” MobiKwik tweeted from its official handle.
Our user and company data is completely safe and secure. The various sample text files that he has been showcasing prove nothing. Anyone can create such text files to falsely harass any company, it added.
MobiKwik also said that its legal team will pursue action against the researcher.
Seller says data can be used to raise loans
The denial does not square with the fact that the seller at the hacker forum has also calimed the the source to be MobiKwik. The samples of leaked data, in any case, contain images of MobiKwik QR codes.
As per a report in TechNadu, “for the set price of 1.5 BTC ($84k), a buyer can get the entire database and have the dark web portal taken offline, keeping everything exclusive.”
The seller of the data also claimed that the merchant entries can be used to raise loans by posing as the merchant.
“The seller claims that each of the merchant entries in the database can be used to raise $500-$1,000 loans in Indian currency, so the investment of the 1.5 BTC could supposedly yield up to three billion USD,” the TechNadu report added.
The MobiKwik leak is real. Here is what the dump had for me. One of those credit cards was valid until a couple weeks ago, and I don’t recall authorising MobiKwik to save it. Companies that lie like 👇 ought to be taken to the cleaners. https://t.co/sptyC1Jz8f pic.twitter.com/c4Uu25OviPMarch 29, 2021
The data dump is said to contain 350GB of MySQL dumps or 500 databases, 99 million email, phone, passwords, physical addresses, IP address, GPS location and device related data, as well as 40 million records of card numbers, expiry dates, card hashes (SHA256 encrypted).
Further, it also has 7.5TB of merchant KYC data pertaining to 3.5 million merchants. Details of passports, Aadhaar cards, PAN cards, selfies, other photograph proof and other information that MobiKwik used to furnish loans to these customers.
For the record, MobiKwik had last week raised $7.2 million in a funding round prior to the listing on the stock exchange.
