Monday, November 25, 2024
HomeNews ReportsMoneycontrol.com data breach: Personal details of over seven lakh users up for sale on...

Moneycontrol.com data breach: Personal details of over seven lakh users up for sale on Hackers forums – Here is what we know so far

According to the hacker who has posted the dump on the hackers' forum, the database contains 7,73,000 records with personal data of the users

On April 8, Sourajeet Majumdar, an independent security researcher, reported that personal data of over 7 lakh registered users of moneycontrol.com is available on the hackers’ forum for just $350. OpIndia investigated the claims, and here is what we have found so far.

According to the hacker who has posted the dump on the hackers’ forum, the database contains 7,73,000 records with personal data of the users. The hackers claimed that the breach took place around six to seven months ago.

Screenshot of post by hacker

The database contains email, dehashed password, country, phone number, date of birth, gender, address, city, state and more. The majority of the users in the list are from India, said the hacker in the post.

Screenshot of post by hacker

Majumdar contacted the hackers on Telegram

Majumdar tried to contact the hackers on the Telegram ID provided in the post. According to the chat screenshots posted by Majumdar, the hackers claimed that they have details of over 40 million users but want to sell details of only 7 lakh users at the moment. They may sell the whole dump in the future at a higher price. Allegedly, they have some plans with the data dump they have, the chat records revealed.

He further said that the hackers shared information of 40 users with him. When he tried to verify the details, he found out that the majority of them were, in fact, working, and he was able to login with the credentials. He added, “Among the credentials they shared, there were also @moneycontrolcom accounts which had their email address verified which hints that they are not dummy accounts made by the sellers (since only the owner of the email ID can verify the account).”

On further discussion with the hackers, they revealed that the database would be sold to five buyers at $350 each. If a single person wants to take control of the database, they will charge up to €650. The hackers further claimed that the vulnerability they exploited to extract the data has now been fixed.

Reverse searching numbers available in sample

Majumdar and we both tried to match the numbers available in the sample provided by the hackers. The majority of the numbers matched with the names mentioned in the sample accounts the hackers provided, making their claims authentic.

MoneyControl’s reply

Pandurang Nayak, Chief Technology Officer, Digital, Network 18, replied to the thread on April 9 and said that prima facie, the data appears to be an old set. He said, “Appreciate that this has been brought to our attention. Prima facie, this appears to be an old data set. Information pertaining to current users is absolutely safe. The organisation takes its responsibility towards information security very seriously.”

He firther added that the company had protocols in place to prevent data breaches, he said, “The best systems and protocols are in place to prevent data breaches. We review our systems periodically and constantly work to improve the security of our information based on feedback received.” Nayak did not openly accepted that a data breach had happened.

MoneyControl started resetting users’ passwords

On April 10, a user replied to Majumdar’s thread on Twitter and said that MoneyControl had reset his password, claiming it was not in compliance with their latest password policy. The email contained the username and new auto-generated password. Now, as claimed by the CTO that the user information of the new users is safe, it makes one wonder what led them to reset the passwords of the users.

To Nayak’s reply, Majumdar asked him if he acknowledges that there was a breach. He asked what criteria Nayak used to reach the conclusion that the data is old. He also questioned if the accounts were created before they updated the password policy, how the company is going to ensure the security of the users. Nayak did not reply by the time this report was published. We also tried reaching him, but there was no reply so far.

OpIndia reached out to Sourajeet Majumdar

While discussing the breach with OpIndia, Sourajeet Majumdar said that he disagrees with CTO’s statement. He said, “Well though the CTO mentioned in his tweet that the data is old, however, I disagree with his statement. I don’t think, so people’s address, name, DOB and phone number change very often and thus, calling it old data is not justified. Other than that, the login credentials which the hackers provided as a sample are valid and working, and I was able to login to other’s Moneycontrol accounts; thus, this is definitely not old data.”

He further added that data as such are goldmines for Cyber Criminals. “The data, which has been leaked in this incident, is enough to track down a person. Criminals can thus run targeted “Phishing Campaigns” or other “Social Engineering” attacks against users, which might prove to be fatal. Also, since, in this case, even login credentials have been breached, somebody who has access to these credentials can easily log in to the user’s account and make any changes, and nothing can be more worse than this,” he said.

An old data breach can leave users vulnerable

It is not just MoneyControl that tried to wash their hands from the alleged data breach by stating the database looks old. A few days back, when over 500 million user accounts of Facebook were leaked, the tech giant also made similar claims. However, both Facebook and MoneyControl failed to acknowledge that even if the data is old, it can be used by hackers to cause substantial damage.

According to the hacker, the database contains names, phone numbers, email ID and other information. The said information can be used to send spam emails and messages that can lead to financial loss. Even someone is an informed user who does not click on links in spam emails or messages, such messages are no less than a nuisance.

Join OpIndia's official WhatsApp channel

  Support Us  

Whether NDTV or 'The Wire', they never have to worry about funds. In name of saving democracy, they get money from various sources. We need your support to fight them. Please contribute whatever you can afford

OpIndia Staff
OpIndia Staffhttps://www.opindia.com
Staff reporter at OpIndia

Related Articles

Trending now

- Advertisement -