Even as the number of Indians that have come online has skyrocketed in recent years, so have the associated risks.
Mobikwik has allegedly been hit by what’s being claimed to be the biggest data leak in India’ history. Over 8 terabytes (TB) worth of personal user information such as email ids, phone numbers, names, addresses, passwords, GPS locations, and data related to users’ mobile devices has been made public on the dark web. A link allowed users to look up their ids, and check if their data had indeed been leaked.
Several users said that the data they’d shared with Mobikwik was indeed available, indicating that the leak might have actually happened.
“The MobiKwik leak is real. Here is what the dump had for me. One of those credit cards was valid until a couple weeks ago, and I don’t recall authorising MobiKwik to save it,” wrote Twitter user Kiran Jonnalagadda.
“I confirmed that the #mobikwik leak is looking genuine. This looks very bad,” wrote another user.
“What the f*** is this Mobikwik? How the hell are my all the cards that are linked to my mobikwik account are shown to a certain link ? Shut down your services,” wrote another Twitter user and attached a screenshot.
The entire saga appeared to start earlier this month, when Rajshekhar Rajaharia, an independent security researcher, had claimed that the data of 11 crore Indian cardholders had been leaked from Mobikwik’s server. He’d tagged the RBI and Indian security agencies, urging them to take action.
Soon after, Mobikwik had shared an update on its official handle, hinting that Rajaharia was a “media-crazed so-called security researcher.” “A media-crazed so-called security researcher has repeatedly over the last week presented concocted files wasting precious time of our organization while desperately trying to grab media attention. We thoroughly investigated his allegations and did not find any security lapses,” it said.
But the data leak again surfaced yesterday, with other prominent security researchers saying that Mobikwik’s data had indeed been leaked. Elliot Alderson, a France-based researcher who often uncovers such leaks, said that Mobikwik was denying the hack in spite of proofs.
As more and more people verified that their data had been leaked, Mobikwik came out with a statement. “Some users have reported that their data is visible on the dark web. While we are investigating this, it is entirely possible that any user could’ve uploaded his/her information on multiple platforms. Hence, it is incorrect to suggest that the data available on the darkweb has been accessed from Mobikwik or any other identified source,” the statement said.
But this explanation didn’t cut ice with many users, who said that the data leak contained the dates when users had made their Mobikwik accounts, suggesting that the data had indeed come from Mobikwik.
Mobikwik has, meanwhile, assured users that their account balances are safe, but the breach does raise some serious questions. Several users have claimed that their information was indeed up on the dark web, which included phone numbers, credit card numbers, and more worryingly, photos of KYC documents. It also appears that Mobikwik had been aware of the breach for at least a month, but didn’t disclose it to users, or prompted them to change their passwords. And while several companies, including Dunzo, BigBasket, and Zomato have been hit by similar breaches, this breach, just for its claimed 10 crore users, might be the most serious that the Indian tech scene has ever seen.