On March 29, it was reported by several cybersecurity experts and media agencies that ‘Know Your Customer (KYC) data of millions of users of payment app Mobikwik is up for sale on the dark web.
Notably, the alleged breach was first reported by a security researcher Rajshekhar Rajaharia on February 26. His claims were earlier denied by Mobikwik. However, several experts say that they were able to access some of the leaked data on the dark web. Several screenshots of the personal data of Mobikwik users has been published on social media network in the last couple of days. According to BGR, the data contains
- Total 350GB MySQL dumps – > 500 databases
- 99 million — email ID, phone, passwords, addresses, apps installed, phone manufacturer, IP address, and GPS location
- 40 million — 10 digit card, month, year, card hash
- ~7.5 TB of ~3 million Merchant KYC data – passports, Aadhar cards, pan cards, selfie, store picture proof, and more used to get loans on the mobile phone-based payment system.
The breach happened in January 2021 – claimed Rajshekhar
In his tweet thread on February 26, Rajshekhar claimed that information of 11 crores Indian cardholders’ card data, including personal details and KYC (PAN, Aadhaar), is up for sale on the darknet. He further added that the breach happened from the data centre of the company located in India. As per his post, the data comprises 6 TB of KYC data and 350 GB of compressed MySQL dump.
This happened 2nd time this year. Hacker claiming that he was having access in company’s server since Jan 2021 to till today. They also posted some DB structures with sample. Hope someone will take responsablity for this breach. @RBI should investigate this issue. pic.twitter.com/LK8ZYddQfn
— Rajshekhar Rajaharia (@rajaharia) February 26, 2021
Rajshekhar claimed that the actors behind the alleged breach claimed that they got access to the server in January 2021 and had access for over a month. He also claimed that the company removed a blog post about the 2010 data breach, but when we checked, it was still available.
What is in the leaked data?
As per the reports, the leaked data contains 36,099,759 files spread over 8.2 TB. It contains KYC details, addresses, email IDs, bank account numbers, credit card details, phone numbers and Aadhaar card numbers of MobiKwik customers. The data is up for sale for 1.5 Bitcoin, which converts to approx USD 85,000.
TechNadu said in a post that the email ids, phone numbers, passwords, apps installed, phone manufacturer, IP address, GPS locations, and other details of users were available in the file that is available on the darknet.
The actors behind the attack who go by the name ninja_storm, said in the sale post that they had recovered the data and it is up for sale. He further added in the post that the data could be used to secure small loans just like the USA but in India. “All data deleted on our end after the transfer,” said the hacker towards the end of the post.
Experts’ views on the breach
Troy Hunt, founder of Have I Been Pwned, a website that checks if someone’s email address or password was compromised, said in a tweet that companies should not behave as Mobikwik did in its March 4 post. “Try Googling ‘Mobikwik data breach’ now…,” he added.
Never *ever* behave like @MobiKwik has in this thread from 25 days ago. Try Googling “mobikwik data breach” now… https://t.co/L5E4xc1ey0
— Troy Hunt (@troyhunt) March 29, 2021
Alon Gal, co-founder and CTO of Hudson Rock, called it a devastating hack. He said, “For each individual, there is just an astounding amount of information, this is really just a devastating hack, and all the data is up for sale by the threat actors.”
For each individual there is just an astounding amount of information, this is really just a devastating hack and all the data is up for sale by the threat actors.
— Alon Gal (Under the Breach) (@UnderTheBreach) March 28, 2021
Vikash Chaudhary, CEO at HackersEra, said in a post on LinkedIn that his data is also available in the leak. He said, “India should have a strict data privacy law like the EU having GDPR. The saddest part is my data is also there.”
Kiran Jonnalagadda, the founder at HasGeek, said that the leak is real. In the thread posted by him on Twitter, he showed how one could determine if the hack is real. He said that the date in the dump matches an email that he had received by Mobikwik back in 2013 when he created an account on the app. Talking about the credit card details stored in the data dump, he alleged that he did not remember authorizing Mobikwik for saving the details.
The MobiKwik leak is real. Here is what the dump had for me. One of those credit cards was valid until a couple weeks ago, and I don’t recall authorising MobiKwik to save it. Companies that lie like 👇 ought to be taken to the cleaners. https://t.co/sptyC1Jz8f pic.twitter.com/c4Uu25OviP
— Kiran Jonnalagadda (@jackerhack) March 29, 2021
While talking about the mismatch in password hash, he said the mismatch is creating some uncertainty. He added, “A password hash match would have made this irrefutable evidence as the password isn’t reused. Sans that, at this point, the evidence is merely compelling.”
A password hash match would have made this irrefutable evidence as the password isn’t reused. Sans that, at this point the evidence is merely compelling.
— Kiran Jonnalagadda (@jackerhack) March 30, 2021
Sunny Nehra, Admin at Hacks and Security, said, “The data is real. Anyone can check that by searching their own mobile no. they shared with Mobikwik. Refusal of hacks or leaks by companies have become common nowadays, and that’s costing a lot to their users. One should deny bogus claims, but real claims must be acknowledged.”
The data is real. Anyone can check that by searching their own mobile no. they shared with @MobiKwik
— Sunny Nehra (@sunnynehrabro) March 30, 2021
Refusal of hacks or leaks by companies have become common nowadays and that’s costing a lot to their users.
One should deny bogus claims but real claims must be acknowledged. https://t.co/MSsToWtX2d pic.twitter.com/6pdIeEoQLJ
Mobikwik’s March 4 statement irked netizens
On March 4, Mobikwik had denied any data breach. In a tweet thread, they said, “We thoroughly investigated his allegations and did not find any security lapses. Our user and company data is completely safe and secure.”
The company further added that its legal team is looking into the matter. They said, “our legal team will be pursuing strict action against this so-called researcher who is trying to malign our brand reputation for ulterior motives.”
The month-old tweet thread has been making rounds on the social media platform, and Mobikwik users are not pleased with the denial.
Sanjeev Gupta, Secretary at ISCS, Ministry of Home Affairs, Government of India, said in a Tweet thread that after learning about the breach, he contacted some tech experts who informed him that his information was, in fact, available in the data dump. He shared a screenshot of the reply he got and said, “Mobikwik denied it on March 4. So, I tried URL sent to me on DM by some techies & also available publicly. Got all data including mobile no., email, #ed password, credit cards (fields for apps, CVV2, Expiry too!). I shudder to think for those who did full KVC using Aadhaar.”
@MobiKwik denied it on March 4. So, I tried URL sent to me on DM by some techies & also available publicly. Got all data including mobile no., email, #ed password, credit cards (fields for apps, CVV2, Expiry too!). I shudder to think for those who did full KVC using Aadhaar (1/3) pic.twitter.com/M0mhzF3eH8
— Sanjeev Gupta (@sanjg2k1) March 30, 2021
He further added that his second mobile number was also in the dump. He urged users not to share all the information with payment solution companies, including Mobikwik, Paytm and Amazon.
My 2nd mobile no too proved #MobikwikDataLeak.While @MobiKwik issue is highlighted, beware all wallets including @paytm @amazon etc.Never save ur credit card details, manage with basic KYC & give less data. Don’t fall for full KYC offers & maintain separate low balance a/c for it pic.twitter.com/GK30egPhas
— Sanjeev Gupta (@sanjg2k1) March 30, 2021
So out of the 3 CC details which were in the mobikwik app, the app shows only the one which is currently active. This means they are still storing data of old cards even though the app doesn’t show that to me. Wah Mobi ji Waah!
— Karan Sachdev (@karansachdev) March 30, 2021
Yes this in India’s biggest KYC data leak ever and if you even signed up with Mobikwik then there is almost a confirmed chance that your data is leaked
— Shubham Dutt (@shubhamdutt13) March 29, 2021
Aese ni krna tha Digital India 🇮🇳#mobikwik #Dataleak pic.twitter.com/wCETQkmffH
Sale of the dump suspended
According to a report published by The Hacker News, the sale of the data dump has been suspended by hackers. They said, “Only sell this to the company after due verification that we are dealing with company,” the hacker said in an update. By the update, it seems like the data dump is going to be used as means to extort money from Mobikwik.
OpIndia’s investigation revealed some truth to the claims
We tried to access the dark web link provided in some of the tweets and found that a lot of information was available. One of our team members was able to find details of a family member’s account.
Below the search details, random files from the data dump were published. Here are some copies of such files.
What should the users do?
- First of all, change the password of your account immediately. Go to the link https://www.mobikwik.com/mywallet/settings and then click on Change Password. You can do it from the app too.
- In the next step, until everything is verified and cleared from the company, it is better to withdraw your money from Mobikwik. You can use the link https://www.mobikwik.com/mywallet/balance.
- If you have added UPI accounts in the app, please remove them. You can use https://www.mobikwik.com/mywallet/linked-banks for this purpose.
- If you have added debit or credit cards to the account, it is advised to remove them for a while. Visit https://www.mobikwik.com/mywallet/cards and click on Remove.
- Please do not authorize any payment link without confirming.
- Make sure to change the authentication passwords for app and bank accounts.
- It is better to change your UPI passwords too.
- In case you notice any unusual activity in your bank account, please contact your nearest police station immediately and inform the concerned banks and authorities.
About MobiKwik
Mobikwik was launched in August 2009 by Bipin Singh and Upasana Taku. Initially, it provided a mobile recharge facility. In 2012, Mobikwik launched an e-wallet system that allowed users to pay bills etc. Now, the company has extended its services to money transfer, loans and insurance as well. RBI authorized its semi-closed e-wallet in 2013. The company is planning to launch its IPO by September this year.
OpIndia has tried to reach out to the founders of MobiKwik. The story will be updated accordingly.