Mobikwik, one of India’s most prominent digital payments platforms, is facing what has been claimed as one of the largest data breaches of its kind. On Friday, March 26, independent cyber security researcher Rajshekhar Rajaharia informed News18 about a massive data dump on the dark web. The researcher, who had previously alleged a direct data breach from one of Mobikwik’s servers to have revealed personal and sensitive data of almost 11 crore users earlier in March, shared proof of the Mobikwik data breach that was, and still is, live in a database on the dark web. Hackers who have seemingly exploited the Mobikwik data breach was reportedly selling it for 1.5 BTC (approx. Rs 63.7 lakh) — which is not a lot of money for a data trove of such scale.
What does the Mobikwik data breach include
News18 could independently access the 8.2TB data dump, which is still live via a TOR link. The leaked data that has been stored on the database was initially made available for public search, using which users could tally their email addresses and phone numbers that may have been hosted on the allegedly breached Mobikwik servers. The search feature on this database, which allowed users to access it and search for their own data in this vast trove, has now been disabled to prevent bots from automating search and retrieving sensitive user data. The Mobikwik data breach, however, still appears to remain online, News18 can confirm. The hosted database further states that a lot of data has now been masked in order to prevent malicious threat actors from misusing the information hosted online.
The Mobikwik data breach claims to have 3.61 crore files in it, which contains KYC (Know Your Customer) data belonging to almost 35 lakh individuals. It also claims to have 9.92 crore entries of data that include “users’ phone numbers, emails, hashed passwords, addresses, bank accounts and card details.” Rajaharia told News18 that he has already informed the Indian Computer Emergency Response Team (CERT-In), and also shared transcripts of his official conversation with Mobikwik.
What is Mobikwik saying so far
While CERT-In has not issued any response so far to Rajaharia’s complaint, Mobikwik too has remained silent on the matter. A Mobikwik spokesperson, in response to News18’s request for a comment, stood by Mobikwik’s initial response on the matter from about a month ago — which has now also been reposted by Mobikwik co-founder, Upasana Taku. The spokesperson also confirmed to News18 that the company will soon issue a revised statement on the issue, but largely stands by its initial stance on the matter.
On March 4, responding to reports of data linked to almost 11 crore individuals being leaked online, Mobikwik had shot back by addressing the whistleblower as “a media-crazed so-called security researcher”, and labelled the Mobikwik data breach allegations as “concocted files, wasting precious time of the organisation.” The company further claimed that it had thoroughly investigated the allegations, but found no lapse of security.
What the cyber security community is saying
While Mobikwik largely continues to deny its data breach allegations, the cyber security community has largely stood by Rajaharia and his reports. Noted French cyber security researcher Robert Baptiste, who goes under the pseudonym Elliot Alderson on Twitter, underlined the data leak as “probably the largest KYC data leak in history.” Another credible source who backed up the Mobikwik data breach reports is Alon Gal, founder and CTO of cyber threat data intelligence startup Hudson Rock. Backing up Baptiste’s post on Twitter, Gal posted details about this “whopping” data breach, before adding, “For each individual there is just an astounding amount of information, this is really just a devastating hack and all the data is up for sale by the threat actors. [sic]”
Troy Hunt, creator of well-known breached password and account tracker Have I Been Pwned, also posted about the data breach criticising Mobikwik’s response to the reports. Such reports about the Mobikwik data breach remain uniform across the cyber security community, and News18 could independently confirm that the databases claiming to be sourced from Mobikwik servers do have chunks of user data with sensitive, identifiable information. A sample breached data folder that News18 could access also backs up all the claims made by the security community, even though the company continues to deny the breach.
Kiran Jonnalagadda, co-founder of Hasgeek, also backed up the claims, offering evidence such as entries of contacts in the data dump. However, Jonnalagadda also underlines that while all of this information is highly compelling right now, Mobikwik’s hashing of passwords in its server database appears to be holding up, which means that the leaked passwords cannot be reversed and used to breach accounts. This means that until Mobikwik comes forth to accept the breach, all of this data will remain circumstancial, albeit very strongly so.
Jonnalagadda has also shared an interesting background information lot, which includes information such as other apps on a user’s phone and their GPS coordinates, alluding to the kind of data that the installed Mobikwik app is allegedly collecting in the background from a user’s phone. Mobikwik has also refrained from confirming the same.
What should you do right now?
Even though no company confirmation has been issued so far, it would be good practice to update all previously saved passwords. Not only would it be prudent to update your Mobikwik account with new passwords, but you should also update passwords to your email addresses, setup two-factor authentication (2FA) including OTPs and fixed passcodes, wherever possible. Additionally, remove all previously saved banking information with Mobikwik and linked services, and update their passcodes accordingly as well. While your account may not be breached thanks to passwords being reportedly hashed in the data leak, the presence of other identifiable data in this leak means that it may not be prudent to leave all of your information online, without updating your credentials.