Fintech startup Mobikwik denied claims about a data breach impacting 100 Mn users, in what many are calling the biggest data leak from an Indian tech company. The leaked data is said to impact Mobikwik’s individual customers as well as the merchants that have procured loans from the company.
First spotted by independent cybersecurity researcher Rajshekhar Rajaharia earlier this month, the database contains user records for 11 Cr Mobikwik users with a whopping 8.2 TB of data. According to Technadu, which first reported the data leak, the seller of the database has set up a dark web portal where one can search by phone number or email ID. While this may be useful for attackers to initiate targetted attacks, the database can also be purchased for 1.5 Bitcoin (or roughly $85K).
The data dump is said to contain 350GB of MySQL dumps or 500 databases, 99 Mn email, phone, passwords, physical addresses, IP address, GPS location and device related data, as well as 40 Mn records of card numbers, expiry dates, card hashes (SHA256 enctrypted).
Besides this, the data dump also has 7.5 TB of merchant KYC data pertaining to 3.5 Mn merchants. This includes passports, Aadhaar cards, PAN cards, selfies, other photograph proof and more, essentially information that Mobikwik used to furnish loans to these customers. Further, the seller of the data claims that the merchant entries can be used to raise loans by posing as the merchant.
Mobikwik was founded in 2009 by Bipin Preet Singh and Upasana Taku. It started its journey as a digital wallet, but has transformed into a horizontal fintech platform that offers multiple financial services to its platform including credit, insurance, gold loans. In terms of funding, Mobikwik has raised close to INR 223 Cr ($29.56 Mn) to date from investors like Sequoia Capital, American Express, Bajaj Finserv and others.
“Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure.” – Mobikwik statement on the data leak.
Further, on Twitter, the company said it would pursue legal action against Rajaharia over the claims in his tweet. “The various sample text files that he has been showcasing prove nothing. Anyone can create such text files to falsely harass any company,” the fintech company said.
But the company has not elaborated on how specifics such as Mobikwik QR codes and other Mobikwik branded devices are present in the leaked data. It is important to note that Mobikwik is looking to go for an IPO later this year and as such any data leak could severely impact its plans in that regard.
Besides Rajaharia, other researchers including French national Robert Baptiste who goes by Elliot Alderson on Twitter also claimed to have seen the data dump on the dark web. A group of researchers who go by the name XploitWizer on Twitter showed how easy it is to search for entries on the portal. You can watch the video here.
Besides such researchers and engineers, several Mobikwik users have also claimed that their data is present in the leaked database.