'Largest KYC leak ever': Data of 10 crore Indians exposed at MobiKwik

It has already been termed as the largest KYC leak ever. Independent cyber security researchers have claimed that a database containing KYC details of nearly 3.5 million users of Indian payment app MobiKwik, in addition to  personal and payments data of about 99,224,559 users, is up for sale on the Dark Web.

First tweeted by the independent cyber security researcher, Rajshekhar Rajaharia, and then confirmed by the French researcher Elliot Alderson, (who termed it the largest KYC leak), the alleged breach is pegged at 8.2TB data containing users’ phone numbers, emails, passwords, addresses, bank accounts and Aadhaar card details.

Mobikwik has denied the breach.

But a link from the dark web is available online, and several users on twitter have claimed seeing their personal details in it.

Some of then even posted screenshots of the alleged MobiKwik user data, which was reportedly up for sale for 1.5 bitcoin or about $86,000 (Rs 69 lakh) on a popular hacker forum.

"A media-crazed so-called security researcher has repeatedly over the last week presented concocted files wasting precious time of our organization while desperately trying to grab media attention. We thoroughly investigated his allegations and did not find any security lapses," MobiKwik tweeted from its official handle.

Our user and company data is completely safe and secure. The various sample text files that he has been showcasing prove nothing. Anyone can create such text files to falsely harass any company, it added.

MobiKwik also said that its legal team will pursue action against the researcher.

Seller says data can be used to raise loans

Screenshot of what the seller at hacker forum claims to have in possession

Screenshot of what the seller at hacker forum claims to have in possession. (Image credit: TechNadu)

The denial does not square with the fact that the seller at the hacker forum has also calimed the the source to be MobiKwik. The samples of leaked data, in any case, contain images of MobiKwik QR codes.

As per a report in TechNadu, "for the set price of 1.5 BTC ($84k), a buyer can get the entire database and have the dark web portal taken offline, keeping everything exclusive."

The seller of the data also claimed that the merchant entries can be used to raise loans by posing as the merchant.

"The seller claims that each of the merchant entries in the database can be used to raise $500-$1,000 loans in Indian currency, so the investment of the 1.5 BTC could supposedly yield up to three billion USD," the TechNadu report added.

The data dump is said to contain 350GB of MySQL dumps or 500 databases, 99 million email, phone, passwords, physical addresses, IP address, GPS location and device related data, as well as 40 million records of card numbers, expiry dates, card hashes (SHA256 encrypted).

Further, it also has 7.5TB of merchant KYC data pertaining to 3.5 million merchants. Details of passports, Aadhaar cards, PAN cards, selfies, other photograph proof and other information that MobiKwik used to furnish loans to these customers. 

For the record, MobiKwik had last week raised $7.2 million in a funding round prior to the listing on the stock exchange.



Comments