In what could be a huge data and security breach for Indian shoppers, a security research team at Safety Detectives has alleged that Cashkaro and its UK-based parent company Pouringpounds has compromised data of up to 3.5 Mn individuals.
In a blog post, Safety Detectives said that the leak, found by the head of research Anurag Sen, was first spotted at the end of August 2019. The team first investigated it on September 2.
It said that the company disclosed the leak to the owner of the data and Sen made multiple attempts to contact them, including via Twitter. Safety Detectives further alleged that Cashkaro never forwarded the concern to their security team.
“We at Safety Detectives contacted them on September 19 and received a reply on September 21, and the database leak was closed the same day,” they added.
Founded in 2013 by Swati Bhargava and Rohan Bhargava, CashKaro works on an affiliate model and offers users cashback and coupons across over 1000 partner websites including Amazon.in, Snapdeal, Paytm, Shopclues, etc. The company website shows that it has crossed over 3.5 Mn users mark and has paid over INR 100 cr as cashback to users.
Backed by Kalaari Capital, the company has raised $5 Mn till date.
The Safety Detectives team has alleged that Cashkaro.com and Pouringpounds.com have both made available key details about their active users. This includes users’ names, mobile numbers, email addresses, plain text passwords, bank details linked with the account, IP addresses of the individual users, etc.
The team had created an account to test the visibility, but no bank account was connected to it. On CashKaro, the team allegedly could find full names, phone numbers, email addresses, login credentials to the platform, plaintext password, bank details linked to accounts, etc.
The company has emphasised that the data found seemed to be related to ‘active’ users – those who have logged in only in recent months. “For CashKaro.com – a site with over 2.5 Mn registered users – we also found plain text passwords and their associated accounts. Many logs containing bank account details and links to said accounts were found, as well; this is the information used during the checkout process,” the company said in the blog post.
It said that two whole terabytes of personally-identifying and financial/payment data of up to 3.5 Mn people is a very serious exposure by any measure.
On reaching out, CashKaro cofounder, Swati Bhargava, told Inc42, “We vehemently deny the inaccurate claims made in the blog post. We have repeatedly tried to contact Safety Detectives since the blog post was published and have requested to take the inaccurate blog post down, but have not received any revert from them. Maintaining the confidentiality of our customers is of utmost importance to us and we are deeply committed to protecting the same.”
Multiple security researchers Inc42 talked to said that since servers are now offline, it can’t be confirmed if the leak happened but the details seem genuine. They said that the breach happened because of an elastic search instance which is open to the public without any authentication.