Mobikwik trends on Twitter as alleged data breach affects 3.5 mn individuals

IPO-bound fintech startup Mobikwik was trending on Twitter all through Tuesday morning as multiple claims emerged on the microblogging platform about a purported data breach.

The Mobikwik data breach scaled to an expose of 37 million files, Know-Your-Customer (KYC) documents of 3.5 million individuals, and 100 million phone numbers, emails, passwords, geodata, bank accounts, credit card data, as per a tweet from the handle @UnderTheBreach. The twitter handle appears to be operated by Alon Gal, co-founder and CTO of Israel based cybercrime intelligence firm Hudson Rock. 

Closer home, Kiran Jonnalagadda, Hasgeek co-founder and CTO, chimed in saying that the MobiKwik leak is real. “Here is what the dump had for me. One of those credit cards was valid until a couple weeks ago, and I don't recall authorising MobiKwik to save it. Companies that lie like down pointing backhand index ought to be taken to the cleaners,” he added. 

The MobiKwik leak is real. Here is what the dump had for me. One of those credit cards was valid until a couple weeks ago, and I don't recall authorising MobiKwik to save it. Companies that lie like ought to be taken to the cleaners. https://t.co/sptyC1Jz8f pic.twitter.com/c4Uu25OviP

— Kiran Jonnalagadda (@jackerhack) March 29, 2021

“Some users have reported that their data is visible on the darkweb. While we are investigating this, it is entirely possible that any user could have uploaded her/ his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the darkweb has been accessed from MobiKwik or any identified source,” Mobikwik said in a blog post on Tuesday. 

The blog post said that the Gurugram based startup undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach, when the data breach was first flagged about a month ago. 

“The company is closely working with requisite authorities and is confident that security protocols to store sensitive data are robust and have not been breached. Considering the seriousness of the allegations, and by way of abundant caution, it will get a third party to conduct a forensic data security audit,” the blog post added.

The development sprung up late February when an internet security researcher by the name of Rajshekhar Rajaharia tweeted about 11 crore Indian cardholder's cards data including personal details and KYC soft copies such as PAN and Aadhaar being leaked from Mobikwik’s server in India.

Rajaharia has added that 6 terabytes of KYC Data and 350 GB compressed MySQL dump had been leaked. Have I Been Pwned founder Troy Hunt said “Never *ever* behave like @MobiKwik...” about Mobikwik’s first response to the matter, in a tweet. 

Have I Been Pwned is a free data breach search and notification service that monitors security breaches and password leaks for users’ security. It had previously reported a data breach at Tiger Global-backed tutorial platform Vedantu. 

French ethical hacker Elliot Alderson, an Aarogya Setu app critic, also posted about the development. 

On Tuesday afternoon, Rajaharia said that he spoke with Mobikwik about the data breach on March 1. “I also reported a bug. They denied it too and removed that Bug in the next 1 hour. They saved their 1,000-rupee bounty by denying it,” he said in a tweet. 

Several other users posted screenshots of the alleged data dump through free and open-source software anonymous communication platform Tor, up for sale in bitcoin by the hacker. 

Hacker stole 8.2 TB data of @MobiKwik's 3.5 million users including their identity data, KYC & transaction details - which was up for sale for 1.5 #Bitcoin #BTC @UIDAI @RBI @GoI_MeitY @IndianCERT @India_Stack https://t.co/bpvVC6mUhp pic.twitter.com/Mi4X8enFtS

— Karma Bhutia (@iambhutia) March 30, 2021

Separately, British security firm Sophos on Tuesday said 52% of organisations in India said that they fell victim to a successful

cybersecurity attack in the last 12 months. “Of these successful breaches, 71% of organisations admitted it was a serious or very serious attack, and 65 per cent said it took longer than a week to remediate,” Sophos said.

Founded in 2009, by Bipin Preet Singh and Upasana Taku, MobiKwik claims to have raised $110 million from investors including Sequoia Capital, MediaTek, and media companies Hindustan Media Ventures, NDTV, and Times Group owner Bennett Coleman and Company (BCCL). 

Post a November 2020 round of fundraise, MobiKwik had said it aims to raise a total of Rs 120 to 150 crore by early 2021 with plans to take the company public in the current calendar year.