Hackers selling 8.2 TB of data from MobiKwik mobile payment service

The hackers are selling data of the Indian fintech platform Mobikwik, which provides financial services and a mobile payment gateway to 120 million users. The services of this company are used by about 3,000,000 sellers and suppliers.

Last month, cybersecurity researcher Rajshekhar Rajaharia discovered a dump on the darknet containing 8.2 terabytes of personal data, allegedly belonging to millions of Mobikwik users.

This database includes names, phone numbers, email addresses, residential addresses, GPS data, hashed passwords, list of installed applications, transaction logs, bank account numbers, and parts of payment card numbers for 40,000,000 people. The seller estimated the value of the base at 1.2 bitcoins, which is about $70,000.

Hackers selling MobiKwik data

The dump also contains KYC (Know Your Customer) data for 3,500,000 people, including copies of AADHAAR cards that are assigned to citizens of the country by the UIDAI system (Unique Identification Authority of India) and PAN ID.

Even worse, it turned out that MobiKwik does not delete information about the cards from its servers even after the user has deleted them, which is a violation of the law.

The hacker who put the data up for sale even created a special search portal, so that anyone could check his name among the victims. Currently, the idea of such a simple search had to be abandoned due to the large volume of traffic and adding a captcha to block bots that trying to collect data.

Hackers selling MobiKwik data

After the publication of the researcher, MobiKwik representatives said that there was no data breach, the investigation did not reveal any violations, and Rajakhariya just wants to “attract the attention of the press.” The company also added that MobiKwik lawyers will take action “against this so-called researcher who is trying to tarnish the brand’s reputation for hidden motives.”

“Various samples of text files that [the researcher] has demonstrated do not prove anything. Anyone can create such text files to falsely harass any company”, — MobiKwik representatives wrote.

This reaction has already drawn criticism from other cybersecurity specialists.

“Never, *never* behave like @MobiKwik in this thread 25 days ago”, — Troy Hunt, founder of Have I Been Pwned, said on Twitter.

Despite criticism, now the incident has become public, while MobiKwik continues to deny it. A new statement from the company claims that customers who found their data on the darknet could upload it themselves:

“Some users have reported that their data can be found on the dark web. While we are researching this issue, it is entirely possible that any user could upload information to several platforms. Therefore, it is incorrect to assume that the data available on the dark web came from the MobiKwik network or any other identified source.”

Although third-party cybercriminals allegedly found no evidence of a data breach even after conducting a thorough investigation, the company promises to bring in more experts and conduct a security audit. However, it is reported that “the security protocols for storing sensitive data are reliable and have not been violated.”

Let me remind you about the fact that the Shiny Hunters group sells data of 10 hacked companies, and that The operator of an online store selling stolen bank cards sentenced to 7.5 years in prison.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button