This has already been dubbed the biggest KYC breach in history. According to independent cybersecurity analysts, a database holding the KYC information of nearly 3.5 million MobiKwik users, as well as personal and payment details of about 99,224,559 users, is for sale on the Dark Web.
The alleged breach is pegged at 8.2TB data containing users’ phone numbers, emails, passwords, addresses, bank accounts, and Aadhaar card information, as first tweeted by independent cybersecurity researcher Rajshekhar Rajaharia and then verified by French researcher Elliot Alderson (who called it the largest KYC leak).
MobiKwik Denying The Breach
The violation has been refuted by Mobikwik.
However, a link to the dark web is accessible online, and many Twitter users have reported having seen their personal information there. Some of them also posted screenshots of the alleged MobiKwik user information, which was allegedly listed for sale on a popular hacker forum for 1.5 bitcoin, or around $86,000 (Rs 69 lakh).
“Over the last week, a media-crazed so-called security analyst has regularly presented fabricated files, wasting our organization’s time while desperately attempting to gain attention from the media. We conducted a comprehensive investigation into his statements and found no security vulnerabilities “MobiKwik sent out a tweet from its official account.
Our users’ and company’s information is secure. He has been showing numerous sample text files that show nothing. It went on to say that anyone can make such text files to falsely harass any business.
MobiKwik’s legal team has also confirmed that it would pursue legal action against the investigator.
The denial contradicts the fact that the seller on the hacker forum also identified MobiKwik as the source. In either case, photos of MobiKwik QR codes can be contained in the leaked data samples.
“With the fixed price of 1.5 BTC ($84k), a customer can get the whole database and get the dark web site taken offline, keeping it exclusive,” according to a study in TechNadu.
The data seller also reported that the merchant entries could be used to obtain loans by impersonating the merchant.
According to the TechNadu paper, “the listing says that every one of the merchant entries in the database can also be used to collect $500-$1,000 loans in Indian currency, so the 1.5 BTC investment could potentially yield up to three billion USD.”
According to news, the data dump contains 350GB of MySQL dumps or 500 databases, 99 million email addresses, phone numbers, passwords, physical addresses, IP addresses, GPS location, and device-related data, and also 40 million records of card numbers, expiry dates, and hashes (SHA256 encrypted).
It also has 7.5 terabytes of merchant KYC data for 3.5 million merchants. Passports, Aadhaar cards, PAN cards, selfies, other photo evidence, and other details were used by MobiKwik to provide loans to these clients.
MobiKwik, for the record, raised $7.2 million in a funding phase subsequent to its NASDAQ listing last week.