Payment wallet app Mobikwik facing a backlash from users as the company tried to ignore the claim of the biggest Indian data breach so far.
It is alleged that the payment app Mobikwik has sold out the data of 10 crore Indians which is 3.5 Million user’s data on a hacker forum on the dark web.
This data breach was first made public by an independent security researcher Rajshekhar Rajahariya in early March. As the security researcher took to his Twitter handle to make people aware of the biggest data leak so far, he was being countered by the company on March 4 as “A media-crazed so-called security researcher has repeatedly over the last week presented concocted files wasting precious time of our organization while desperately trying to grab media attention. We thoroughly investigated his allegations and did not find any security lapses,” the company said in its tweet.
The researcher said data of 11 crore Indians, which included information from KYC (Know-Your-Customer) forms, unmasked card numbers, and other personal details, had been leaked from a Mobikwik server. The researcher named Mobikwik in a series of tweets, adding that hacker(s) had access to the company’s data since January 2021.
However, the company says it to be all false declarations and that the security of data of the users is kept utmost intact and encrypted, some other independent security researchers back Rajshekhar by claiming his allegations on the Mobikwik company to be all credible and go ahead by announcing this data leak, one of the biggest till date. A prolific French cybersecurity expert Robert Baptiste aka Elliot Alderson confirmed the leak on March 29, 2021, crediting a third security researcher for the tip. and said this to be probably the “largest KYC data leak in history.” Australian web security researcher Troy Hunt, creator of ‘haveibeenpawned’ also supported Rajaharia’s findings.
“The MobiKwik leak is real. Here is what the dump had for me. One of those credit cards was valid until a couple of weeks ago, and I do not recall authorizing MobiKwik to save it. Companies that lie like (this) ought to be taken to the cleaners,” wrote Kiran Jonalaggada, founder of HasGeek in a tweet.
Rajaharia had in February said a hacker was selling MobiKwik user data such as PAN card numbers, Aadhaar, debit/credit cards, phone numbers, and other personally identifiable details that are usually shared during the Know Your Customer (KYC) procedure. “Personal data of several high-profile Indian tech company founders were found in the compressed data dump.”
The data dump on the darknet is reported to be around 350GB in size.
With the evidence, Rajaharia says that the leaked data of 3.5 million users can be accessed by logging in to a certain link and that through the Aadhar card details, Pan card details are compromised, and this can be accessed through the registered email id, one can easily get his/her data from the website. Many of the Mobikwik users had even agreed to the points made by Rajaharia and indicated it to be all true.
Submitting proofs on his Twitter handle Rajaharia lets out that an unknown seller is charging 1.5Bitcon (approx. Rs 63,20,535) and is promising to delete all the data after the transfer of the amount.
Just a month before this revelation Rajaharia also disclosed a big data leak from the Bharti Airtel server. He disclosed that more than 2.5 million customers’ details including phone numbers and Aadhaar numbers were leaked online.
Though, the company after so many claims by such cybersecurity experts and its users goes on to deny the claim and says that there has been no data leak. In a detailed post, the company wrote that it “takes its data security very seriously, and is fully compliant with applicable data security laws.” It also said that “it has a long-running Bugs Bounty program, where ethical hackers report security issues which are immediately fixed.”
The CEO of Mobikwik Bipin Preet Singh on March 30 tweets, “As a regulated entity, the company takes its data security very seriously, and is fully compliant with the applicable data security laws.”
He further said, “While we are investigating this, it is entirely possible that any user could have uploaded his/her information on multiple platforms. Hence, it is incorrect to suggest that the data available on the dark web has been accessed from Mobikwik or any identified source.”
The company also reiterated that “a thorough investigation with the help of external security experts and did not find any evidence of a breach.”
It will also get a third party to conduct a forensic data security audit, as a matter of precaution, the company further said.
As not only the cybersecurity experts are backing Rajaharia, the netizens and the users of such online payment wallet took to their Twitter account saying on entering the registered email Id they can find their bank details and key identification details very easily on the link in the dark web.
The data leak of Mobikwik is said to be the biggest data leak in Indian history, enrolling 10 crore Indian users in it.