Posted on April 12, 2021 at 7:52 PM
The past few weeks have seen heavy data breaches at some of the top companies around the world, with companies like Facebook, LinkedIn, and MobilKwill all recent victims. The data breach at digital payments platform MobiKwik affected 11 crores of its users.
Now, a recent report reveals that one of the largest stockbrokers in India, Upstox, has been compromised. The report revealed that the threat actors stole KYC as well as other vital information about many of its customers.
The company didn’t waste time announcing the breach to the public after it was discovered. However, Upstox pointed out that customer funds and shares are safe, and the security of the system has been enhanced.
System breached through third-party
Upstok’s co-founder and chief executive officer Ravi Kumar commented about the hacking incident, stating that the details of its clients were compromised through third-party warehouse systems.
After enhancing its system’s security, Upstox added stronger restrictions to the affected database, ringfenced its network, added 24×7 monitoring, set up real-time, and added more security enhancements at all third-party data warehouses.
“As a matter of abundant caution, we have also initiated a secure password reset via OTP,” Kumar added.
The breach affects over 80% of Upstox’s customers
Apart from the company, some other security researchers have tweeted about the breach, stating that the hackers breached the accounts of about 25 Lakh users, which is over 80% of its customers.
He stated that customers’ securities are held with the relevant depositories and they should not worry about the safety of their funds.
Upstox has almost 30 Lakh users and has financial backing from investors like Ratan Tata and Tiger Global. In terms of the number of customers, the company is the second-largest broker in the country, only behind Zerodna.
Within the past three years, the broker has invested in a bid to expand its customer base and operational capacity.
Boosted by the easy availability of smartphones and sliding data prices, the company has ramped up its operations and increased its client base in several folds.
The brokerage has been working on wafer-thin costs of trading and is gradually operating at a lesser cost than traditional big players such as HDFC Securities, ICICI Securities, and others.
Upstox recently took up a sponsorship role for the Indian Premier League (IPL). The broker also has other engagements and projects in recent times.
Upstox expands up a bounty program
The company has also scaled up its bounty program, allowing ethical hackers to test its systems and discover bugs before they are discovered by threat actors.
Upstox said it had already reported the hacking incident to appropriate authorities and investigation is ongoing. It further advised customers to follow secure practices and ensure they never share their OTPs. They should also check the authenticity of links, watch out for unauthorized OTPs, and always use strong passwords to protect their data.
The reports about the hacking incident have linked the notorious ShinyHunters to the attack. Exposed users’ details include their names, email, bank details, email, and date of birth.
Kumar also stated that the expertise of a globally renowned security firm has been sought to look into the situation and mitigate the loss.
Also, ShinyHunters are demanding $1.2 million as a ransom payment to keep the data away from public view.
Bug in AWS led to a system breach
Web security researcher Rajshekhar Rajaharia pointed out that threat actors have so many uses for the breached data. According to him, the compromised data can be used by malicious parties or threat actors to impersonate users and carry out transactions on their behalf.
Rajaharia added that the hackers succeeded in compromising the Upstox server due to a vulnerable Amazon Web Service (AWS) used by the company.
He stated that Upstox’s Amazon AWS S3 bucket was not properly configured, which has been the cause of several data breaches in the past. He noted that the same key was exploited by hackers during the Mobikwik breach as well.