CashKaro Refutes Reports Of Breach Of Personal Data Of 3.5 Mn Individuals

CashKaro Refutes Reports Of Breach Of Personal Data Of 3.5 Mn Individuals

SUMMARY

The leak, found by researcher Anurag Sen, was first spotted at the end of August 2019

A security research team at Safety Detectives said Cashkaro.com and Pouringpounds.com have both made available key details about their active users

Safety Detectives said that the breach was fixed by CashKaro on September 21

In what could be a huge data and security breach for Indian shoppers, a security research team at Safety Detectives has alleged that Cashkaro and its UK-based parent company Pouringpounds has compromised data of up to 3.5 Mn individuals.

In a blog post, Safety Detectives said that the leak, found by the head of research Anurag Sen, was first spotted at the end of August 2019. The team first investigated it on September 2.

It said that the company disclosed the leak to the owner of the data and Sen made multiple attempts to contact them, including via Twitter. Safety Detectives further alleged that Cashkaro never forwarded the concern to their security team.

“We at Safety Detectives contacted them on September 19 and received a reply on September 21, and the database leak was closed the same day,” they added.

Founded in 2013 by Swati Bhargava and Rohan Bhargava,  CashKaro works on an affiliate model and offers users cashback and coupons across over 1000 partner websites including Amazon.in, Snapdeal, Paytm, Shopclues, etc. The company website shows that it has crossed over 3.5 Mn users mark and has paid over INR 100 cr as cashback to users.

Backed by Kalaari Capital, the company has raised $5 Mn till date.

The Safety Detectives team has alleged that Cashkaro.com and Pouringpounds.com have both made available key details about their active users. This includes users’ names, mobile numbers, email addresses, plain text passwords, bank details linked with the account, IP addresses of the individual users, etc.

The team had created an account to test the visibility, but no bank account was connected to it. On CashKaro, the team allegedly could find full names, phone numbers, email addresses, login credentials to the platform, plaintext password, bank details linked to accounts, etc.

The company has emphasised that the data found seemed to be related to ‘active’ users – those who have logged in only in recent months. “For CashKaro.com – a site with over 2.5 Mn registered users – we also found plain text passwords and their associated accounts. Many logs containing bank account details and links to said accounts were found, as well; this is the information used during the checkout process,” the company said in the blog post.

It said that two whole terabytes of personally-identifying and financial/payment data of up to 3.5 Mn people is a very serious exposure by any measure.

On reaching out, CashKaro cofounder, Swati Bhargava, told Inc42, “We vehemently deny the inaccurate claims made in the blog post. We have repeatedly tried to contact Safety Detectives since the blog post was published and have requested to take the inaccurate blog post down, but have not received any revert from them. Maintaining the confidentiality of our customers is of utmost importance to us and we are deeply committed to protecting the same.”

Multiple security researchers Inc42 talked to said that since servers are now offline, it can’t be confirmed if the leak happened but the details seem genuine. They said that the breach happened because of an elastic search instance which is open to the public without any authentication.

You have reached your limit of free stories
Become An Inc42 Plus Member

Become a Startup Insider in 2024 with Inc42 Plus. Join our exclusive community of 10,000+ founders, investors & operators and stay ahead in India’s startup & business economy.

2 YEAR PLAN
₹19999
₹7999
₹333/Month
UNLOCK 60% OFF
Cancel Anytime
1 YEAR PLAN
₹9999
₹4999
₹416/Month
UNLOCK 50% OFF
Cancel Anytime
Already A Member?
Discover Startups & Business Models

Unleash your potential by exploring unlimited articles, trackers, and playbooks. Identify the hottest startup deals, supercharge your innovation projects, and stay updated with expert curation.

CashKaro Refutes Reports Of Breach Of Personal Data Of 3.5 Mn Individuals-Inc42 Media
How-To’s on Starting & Scaling Up

Empower yourself with comprehensive playbooks, expert analysis, and invaluable insights. Learn to validate ideas, acquire customers, secure funding, and navigate the journey to startup success.

CashKaro Refutes Reports Of Breach Of Personal Data Of 3.5 Mn Individuals-Inc42 Media
Identify Trends & New Markets

Access 75+ in-depth reports on frontier industries. Gain exclusive market intelligence, understand market landscapes, and decode emerging trends to make informed decisions.

CashKaro Refutes Reports Of Breach Of Personal Data Of 3.5 Mn Individuals-Inc42 Media
Track & Decode the Investment Landscape

Stay ahead with startup and funding trackers. Analyse investment strategies, profile successful investors, and keep track of upcoming funds, accelerators, and more.

CashKaro Refutes Reports Of Breach Of Personal Data Of 3.5 Mn Individuals-Inc42 Media
CashKaro Refutes Reports Of Breach Of Personal Data Of 3.5 Mn Individuals-Inc42 Media
You’re in Good company