Payment app Mobikwik faced a major data leak on Monday after a security researcher claimed that the data of 3.5 million users were up for sale on the dark web.
The researcher claimed that the information of 3.5 million users that was put on the dark web for sale includes KYC details, addresses, phone numbers, Aadhar card data and other details of the users. Various users had reportedly spotted their details on the dark web link that is being circulated on the internet.
Mobikwik CEO Bipin Preet Singh, in a statement regarding the alleged data breach involving Mobikwik, said, “Some users have reported that their data is visible on the dark web. While we are investigating this. It is entirely possible that any user could have uploaded his information on multiple platforms. Hence. it is incorrect to suggest that the data available on the dark web has been accessed from Mobikwik or any identified source.”
However, the claims made by the company do not match with the claims of the users who have spotted their details on the dark web.
Security researcher Rajshekhar Rajaharia was the first to spot the data breach in February. “11 crore Indian cardholder’s card data, including personal details & KYC soft copy(PAN, Aadhar etc) allegedly leaked from a company’s Server in India. 6 TB KYC Data and 350GB compressed MySQL dump,” he had said.
The screenshots of the Mobikwik breach were posted on Twitter by another security researcher, Elliot Alderson. He called it the “largest KYC data leak in history”.
As per a report, the email ids, phone numbers, passwords, apps installed, phone manufacturer, IP address, GPS locations, and other details of users were leaked.
The report further reveals that the alleged seller has set up a dark web portal “where one can search by phone number or email ID and get the specific results out of a total of 8.2 TB of data.”
The company had denied Rajshekhar’s claims back in February, but on Monday, a link from the dark web was reportedly spotted online where users had claimed to see their details on the dark web.
Several users also posted screenshots of the Mobikwik users’ data that was on the dark web. As per reports, the data was being sold for 1.5 bitcoin or about $86,000. However, Mobikwik has outrightly denied the claims made by Rajaharia.
A company spokesperson said, “Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure.”