Data of 3.5 m MobiKwik users allegedly hacked

Personal details of 3.5 million MobiKwik users seem to have been leaked, according to independent cybersecurity researchers. The Gurugram-based fintech platform, however, denied any breach, saying its user and company data are completely safe and secure.

The breach was flagged by French cybersecurity researcher Elliot Alderson in a tweet on Monday. “Probably, the largest KYC data leak in history. Congrats MobiKwik,” he tweeted with a screenshot of the data leak. “This database is 8.2TB and contains 36,099,759 files,” the screenshot showed, adding that it contained KYC data of nearly 3.5 million people. It is reported to be up for sale on the Dark Web.

In a statement, MobiKwik said, “Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organisation as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure.”

The breach was initially flagged by Internet security researcher Rajshekhar Rajaharia in early March. In a tweet on March 4, he had said that this leak involves 11 crore Indian cardholders’ data, which were allegedly leaked from a MobiKwik server. Some users also confirmed that their data were available online.

“All my details including name, address, bank account details are there on the link shared by the independent researcher,” said a Chennai-based MobiKwik user. The allegation of a data breach comes even as MobiKwik is reportedly targeting an initial public offering before September to raise $200-250 million.

Data breach on the rise

The number of data breaches in India has been rising over the last two years. In November, BigBasket had filed a complaint with the Cyber Crime Cell in Bengaluru to verify claims made by cybersecurity intelligence firm Cyble that a hacker had put up the online grocer’s user data for sale on the Dark Web for over $40,000. In May, Edutech startup Unacademy had also disclosed a data breach that compromised the accounts of 22 million users.

According to the national cybersecurity agency, cyber attacks have surged from 53,117 in 2017 to 208,456 in 2018, 394,499 in 2019, and 11,58,208 in 2020.

“If the allegations are true, MobiKwik should have automatically reported the breach to its users. What is currently missing is the deterrent message when it comes to policy. Criminal prosecution should be initiated against companies for data leakages,” said a cybersecurity expert on conditions of anonymity.