MobiKwik’s user data has allegedly been breached and is purportedly available for access by hackers through a dedicated search engine. The Gurugram-based digital wallet company is denying the data breach. However, independent security researchers have claimed that the data — over 8.2TB in size — has been put on sale on the dark Web for quite some time now. Gadgets 360 was first informed about the alleged data breach in February. The hackers group, that allegedly had access to the data for months, has now made it accessible through a search engine that suggests some of the leaked data elements — including the names, phone numbers, and email IDs of millions of affected users.
Denying the claims of any sensitive data leaks, MobiKwik said that it did not find any evidence of a breach.
“As a regulated entity, the company takes its data security very seriously and is fully compliant with applicable data security laws. The company is subjected to stringent compliance measures under its PCI-DSS and ISO Certifications which includes annual security audits and quarterly penetration tests to ensure security of its platform,” a MobiKwik spokesperson said in an emailed statement.
The spokesperson added that the company was closely “working with requisite authorities” on the matter and will get a third party to conduct a forensic data security audit, considering the seriousness of the allegations.
“For its users, the company reiterates that all MobiKwik accounts and balances are completely safe,” the spokesperson said.
Cyber-security researcher Rajshekhar Rajaharia first informed Gadgets 360 about the data breach on February 25. He had said that credit and debit card details, names, email addresses, and other details of more than 100 million users were leaked on the dark Web. The researcher also stated that apart from the details in text, know-your-customer (KYC) information that included scanned documents such as Permanent Account Number (PAN) and Aadhar cards as well as bank statements of over five crore users were put on sale by the hackers group that is known by pseudonym “ninja_storm.”
The researcher had shared some sample files that included a table structure with a reference about MobiKwik’s payment gateway Zaakpay.
Shortly after receiving the details from the researcher, Gadgets 360 reached out to MobiKwik co-founders Bipin Preet Singh and Upasana Taku. The executives, however, didn’t provide any clarity on the breach at that time. An email sent to CERT-In also didn’t receive any correspondence.
MobiKwik on March 4 publicly denied its role in the data breach and called the researcher “media-crazed”, without naming Rajashekar explicitly. The company also alleged that the researcher in question presented “concocted files” to “grab media attention”.
However on Monday, French security researcher Robert Batiste, who’s known as Elliot Alderson on Twitter, posted the details about the alleged data breach. He also provided the details about the search engine that was purportedly created by the hackers group on the dark Web and included some user details.
Several users on social media posted that they were able to find their details from that search engine.
The MobiKwik leak is real. Here is what the dump had for me. One of those credit cards was valid until a couple weeks ago, and I don’t recall authorising MobiKwik to save it. Companies that lie like 👇 ought to be taken to the cleaners. https://t.co/sptyC1Jz8f pic.twitter.com/c4Uu25OviP
— Kiran Jonnalagadda (@jackerhack) March 29, 2021
Some of my data is there. In fact even the accurate date for the creation of my mobikwik account, in 2013, is there.
Thankfully, it’s an old expired card mentioned, because I only used mobikwik that one time.
Some, if not all, user data has leaked Bipin. https://t.co/6V2KZrY4ra
— Nikhil Pahwa (@nixxin) March 30, 2021
However, Gadgets 360 wasn’t able to independently verify whether the available details were related to the alleged MobiKwik data breach.
Orbital, the Gadgets 360 podcast, has a double bill this week: the OnePlus 9 series, and Justice League Snyder Cut (starting at 25:32). Orbital is available on Apple Podcasts, Google Podcasts, Spotify, and wherever you get your podcasts.