Posted on March 29, 2021 at 2:37 PM
A hacker forum has been packed with highly sensitive data containing details from millions of MobiKwik users. The firm offers a digital wallet service and mobile phone-based payment system that enables users to carry out transactions directly from their mobile phones.
The Gurugram-based firm even started giving small loans to its users in 2016. This led to the introduction of know-your-customer (KYC) requirements. To maintain the KYC policy, MobiKwik had to demand Aadhar cards, scanned passports, ID documents, and PII from its users.
A security researcher Rajshekhar Rajaharia discovered the compromised database and informed the company about the discovery. From the check, the stolen data seems to be valid and coming from MobiKwik.
The report also revealed that the seller of the stolen data had already launched a dark web portal where people can search the database by email ID or phone number to get specific results from their searches. The stolen file contains 8.2 terabytes of data.
The seller offers entire data for 1.5BTC
The seller has also placed a price for the entire database. According to the report, the seller of the stolen data will release the entire data for 1.5 Bitcoin, which is worth $84,000 at the time of writing. The seller added that the dark web portal will be taken down once the buyer gets the entire database.
The seller also listed some contents of the file, which include lots of databases with all company data, 350GB of MySQL dumps, and millions of installed apps, addresses, passwords, phone, and email IDs.
It also contains 7.5 TB of 3 million Merchant KYC data, including Aadhar cards, passports, store picture proof, pen cards, and passports.
The seller also asserted that each merchant entry in the database can be used to get loans of between $500 and $1,000 paid in Indian Rupee. As a result, he claims an investment of 1.5 TBC by the buyer could yield about USD 3 billion.
It was also alleged that as proof of concept, a partner tried raising a couple of loans, and it was successful as expected.
In a desperate effort to get some of the data and avoid paying the full price, an unknown user set up a script to fish out the entire 99 million entries from the dark net site. Although the user didn’t succeed, it’s an indication that the stolen data may contain highly sensitive information for someone to take such as desperate action.
Impact on users
Whenever there is a breach of user data from a company, the users mostly end up paying the ultimate price. The threat actors who are fortunate to get hold of the stolen data can use it to launch attacks n future. They can carry out phishing attacks, credit card theft, or impersonate the victim using the details stolen from MobiKwik.
The situation is very bad for the affected users since anyone can even search them directly, with some already scraping parts of the data on the Tor network.
It’s not clear when the hacking of the data from MobiKwik servers took place. The company has not mentioned any data breach or acknowledge that there was one on its platform.
Also, MobiKwik has not made any announcement about the incident on its social media channels or official website. Emails have been sent for comments about the situation, but the company has not responded yet.
The recent data leak has increased users’ demand for data protection laws against situations like this. More users are clamoring for more protection of their details since they are the worst hit in hacking incidents involving user data.