Reliance Jio has become the latest Indian company to have its user data made public — and it might well be the largest.
Hackers have managed to put up personal details of millions of Reliance Jio customers on a site called Magicapk.com. The leaked information includes the full name of Jio customers, their phone numbers, email ids, circle numbers, and the time when their SIM was activated. The list also has a column for Aadhar number, but it seems to empty for most entries.
The breach has been confirmed by several users, who’ve found their own details in the database. It’s unclear when the data was first made public — the domain, which has been since taken down, had been registered on 18th April this year. The first mention of the domain is on tech forum frendz4m.com on 5th July, where user imranchhimpa talks about the site.
“hi FRD
here is script that fetch jio number details all information original hogi jo document se active h auski details aa jayegi…
link is here-:http://magicapk.com,” wrote imranchhimpa, earning praise from fellow members of the forum.
The site appears to have flown under the radar for the next 4 days, until it was discovered by Reddit at around 5 pm on Sunday. News of the leak spread quickly, with users scrambling to check if their data had been leaked. The leak appears extensive, with thousands of users saying that their details had indeed been made available.
.@reliancejio so much disappointed in u. Our details / ur database got leaked & customer details are out in public @ https://t.co/m9ddXsCTSL pic.twitter.com/SNvxdIYq0k
— Ankit Chugh (@luckyankit) July 9, 2017
Didn't show anything at first. Refreshed the page and got the details. The hell @reliancejio #RelianceJio pic.twitter.com/q9qgaYvPf7
— Robin Sinha (@RobSin91) July 9, 2017
Magicapk.com then appeared to struggle with the load of all the queries. Around 8 pm, users reported that the site was acting sluggish, requiring several refreshes to make the data available. A few hours later, the site was taken down by its hosting provider.
Reliance, meanwhile, in a statement released around 10 pm, said that the leaked data wasn’t real.” “We have come across the unverified and unsubstantiated claims of the website and are investigating it. Prima facie, the data appears to be unauthentic. We want to assure our subscribers that their data is safe and maintained with highest security. Data is only shared with authorities as per their requirement. We have informed law enforcement agencies about the claims of the website and will follow through to ensure strict action is taken,”
It’s not immediately clear how widespread the leak is — while several users have reported finding their details online, several others have said they haven’t. There have been speculations that the leaked data is from only older Jio numbers, but someone who registered their phone on 31st May also claimed that their details had been leaked.
New number are also leaked
Got this number on 31st May pic.twitter.com/Ax78y8Lo5M— Siddhesh Sharma (@SiddheshS7) July 9, 2017
Jio now has 120 million users, and this leak, even if incomplete, could easily end up being one of the largest database leaks in India. Earlier this year, Zomato had had 17 million user account emails and passwords stolen, but Jio’s leak, at first glance, seems a lot more serious. In addition to emails, it also exposes users’ full names, phone numbers and home states. While the site was taken down a few hours after it became mainstream, it was up for at least 4 days, and it’s possible that several copies of this data have been made and exist on the web.