Posted on April 26, 2021 at 7:20 PM
ShinyHunters Group Exposes Records Of 20 Million Users Of BigBasket
A recent report has revealed another massive data leak. According to the report, the threat actors responsible for the data breach exposed 20 million BigBasket customers. Although the hack was discovered around October last year, the data was only recently exposed to the public.
The exposed database contains password hashes, phone numbers, home addresses, email IDs, date of birth, and IP addresses.
Security agency Cyble was the first to go public with the breach, which supposedly occurred on October 14 last year. The breach was discovered on October 30 and disclosed to Big Basked two days later. Clyde also stated that the threat actors put up the data for sale on the darknet for $40,000.
ShinyHunters responsible for the leak
The hackers who have published the stolen data are no other than the notorious ShinyHunters, but it’s not clear whether they are responsible for the hack.
They uploaded the files on a popular darknet forum for anyone to download the stolen files The same threat group flooded the dark web with databases containing a combined total of 73.2 million user records from more than 11 different companies. The group has been operating since 2015 and has compromised millions of data since then. They also go by different aliases, such as Gnostic Players, #The DarkOverlord, and Shiny Hunters.
Big Baskey was not the only victim of data breaches in India last year, as Dunzo and WhiteHat Jr also suffered different data losses over the same period.
Negotiation still ongoing for BigBasket acquisition
The news is coming only weeks after Tata group announced the acquisition plan for BigBasket. The multinational conglomerate valued the startup at $1.8 billion, but no further information has been shared about the deal. It’s not clear whether the recent data leak will affect the negotiations leading to the acquisition deal.
Meanwhile, at the time of writing, Big Basket is yet to make any official statement regarding the data leak, but it’s believed the site may respond to question or address the public soon.
However, a BigBasket spokesperson stated that the exposed database was part of a data breach that occurred in November last year, and not part of any recent breach. The spokesperson said this was confirmed because the social media post mentioned the released date of the hashed password.
He added that the website has taken down all hashed passwords from its system and migrated to a secure OTP-based authentication system. Additionally, he assured users that the site doesn’t store or collect any sensitive personal data such as credit cards. As a result, customers are safe from any exploitation and they shouldn’t carry out any future action.
When reports emerged that hackers have compromised its server, stealing details of over 20 million customers in November, BigBasket confirmed the leak at the time.
The stolen data, if bought by members of the forum, can be used to carry out further attacks on the victims whose data have been exposed. In most cases, users will be expecting phishing attacks and impersonation
Users are advised to change their passwords
Security researchers advise users to look up sites like “am I breached” and ‘have I been hacked’ to find out whether their data is among the list of reported breaches in the past.
They can go to the sites and enter the details they are suspecting (email address and passwords) to check if their details have been compromised somehow. They can find out how many times their details have appeared in a breach if it has ever been breached.
Security researchers also advised that users should still take precautions even after finding their data was not breached. In some instances, breached data can remain unknown for some months until they are discovered.
As a result, users have been warned to take precautions when responding to emails that seem strange even if they are communicated like a known contact. Users of the BigBasket site have also been asked to change their account details on the platform and other platforms they registered with the same details.