MobiKwik is under fire for the leak of 3.5 million user data on the darknet. Independent security researcher Rajshekhar Rajaharia brought this topic to light.

Written BySanjana Kalyanpur

Source: Shutterstock

Close to 8.2 terabytes (TB) of data of MobiKwik users were leaked on the darknet. This contained sensitive information of the users including their know-your-customer (KYC) details, Aadhaar card data, PAN card, addresses to name a few. The company has denied the data breach but security researcher Rajshekhar Rajaharia has enough information to turn the tables.

MobiKwik Data Breach

This piece of news first came to light in February when Rajaharia addressed the public on Twitter that a hacker was selling MobiKwik user data, which is usually shared during the KYC procedure in confidence, on the darknet. He even pointed out to DH that the personal data of several high-profile Indian tech company founders were found in the compressed data dump. Rajaharia is a renowned independent security researcher who has been credited for bringing to light various dubious schemes that include the bug that caused WhatsApp group invites on Google searches last year and the Bharti Airtel data leak.

MobiKwik was quick to respond to the rumours. Their spokesperson said to DH, “Some security researchers have repeatedly attempted to present concocted files wasting precious time of our organization. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure.”

Payment app MobiKwik on Monday came under fire for an alleged data leak that has exposed close to 8.2 terabytes (TB) of data, including know-you-customer (KYC) details, addresses, phone numbers, Aadhaar card data of its users on the dark web.

According to reports, data of close to 3.5 million users was at risk.

The company, however, denied the breach.

The leak was first reported in February by security researcher Rajshekhar Rajaharia, which the company had denied at the time.

However, on Monday, a link from the dark web began circulating online, and several users confirmed seeing their personal details in it.

Many people also posted screenshots of the alleged MobiKwik user data, which, according to sources, was up for sale for 1.5 bitcoin or about $86,000.

While the passwords were encrypted on masked in the data, the other personal details were not.

“Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organisation as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure,” a MobiKwik spokesperson said.

The researcher, Rajaharia, had tweeted details of the leak on February 26: “11 crore Indian cardholders’ card data, including personal details and KYC soft copy (PAN, Aadhar, etc) allegedly leaked from a company’s server in India. 6 TB of KYC data and 350 GB of compressed mysql dump”.

He followed his tweets by subsequently naming MobiKwik, which, he said, had removed an old post about a previous data breach from 2010.

MobiKwik said the blog post was never removed and continues to be up.

If the breach has indeed occurred, there is very little users can do except demand accountability from the company, said a security researcher who did not wish to be named.

“Given the large data set, there is a big chance that scammers will be able to scam people and sound more authentic. Even though the passwords seem encrypted in the data, all the other details like PAN card, Aadhaar card etc have not been masked. This makes anyone listed in the database vulnerable to fraud. The details include phone number and email IDs too, so it gives scammers an easy way to reach out to the users,” said independent security researcher Indrajeet Bhuyan.

MobiKwik had last week raised $7.2 million in a funding round prior to the listing on the stock exchange.

According to Entrackr, Mobikwik’s post-money valuation currently stands at $493 million with the latest funding round.

French hacker Robert Baptiste, also known as Elliot Alderson on Twitter, followed up on the topic of interest and gave his two cents. His tweet read, “Probably the largest KYC Data Leak in history. Congrats MobiKwik…” This tweet was attached with a screenshot of the leaked data. As of now, MobiKwik is yet to revert to this situation and is choosing to lay low.

French hacker Robert Baptiste, who goes by the pseudonym Elliot Alderson on Twitter, also tweeted on Monday, “Probably the largest KYC data leak in history.

Congrats Mobikwik…”, and posted a screenshot of the leaked data.

The MobiKwik data leak has since then been a hot topic on Twitter and has seen a contribution of polar opposite views from netizens. While some are in favour of the Indian online payment company, many are siding with Rajaharia on this and are demanding a convincing clarification from the company. Last week, MobiKwik reportedly raised $7.2 million in a funding round after which it got listed on the stock exchange. As per Entrackr, its post-money valuation stands at $493 million at the moment.