The thing about data leaks at technology companies is that they almost always cause damage that often has a lingering impact long after the incident happens and is indeed fixed. The most recent case in point being the BigBasket data leak that has now exposed data of some users of Flipkart and potentially other internet platforms. And this has come to light, almost seven months after it was initially discovered.
In November last year, BigBasket was reported to have faced a potential data breach that leaked details of around 2 Cr users. The data was put up for sale for around INR 30 Lakh and in April this year, the data was leaked online. And now, many users who have been impacted in that alleged breach/leak, have complained that their Flipkart accounts are being hijacked.
The problem here could potentially extend beyond Flipkart. Because in this case, it is not Flipkart’s data that has been leaked but rather passwords and usernames belonging to BigBasket users (who use Flipkart as well). Many of these users are likely to have used the same credentials (used for BigBasket) for other platforms. Flipkart is one of the platforms that users have complained about.
For instance, Satish Medapati, founder of customer service startup Intentico, notified Inc42 on Twitter about Flipkart data being leaked. In his tweet, Medapati showed a screenshot that revealed a list of email addresses, supposed passwords associated with the emails and ‘Coins’. The Coins were claimed to be the loyalty points that Flipkart offers its users.
Speaking to Inc42, Medapati claimed he was sent the screenshot by another individual on WhatsApp, whose identity could not be confirmed. Medapati also claimed that his Flipkart account details, including his name, were changed, following which he lost access to the account. He added that Flipkart’s customer support team has subsequently restored his access to the account. But before that orders were placed through his account for which he received many OTPs, as seen in screenshots shared by Medapati.
“About 17 orders were placed. Reward coins were used and there were attempts to buy through my saved credit cards on Flipkart. About 30+ OTPs on various issues came from Flipkart,” he said.
Inc42 has seen the list being circulated as Flipkart data, however, we could not confirm the details of the discussion between Flipkart and Medapati as that was a telephonic conversation.
Besides Medapati, others have also claimed (on Twitter) that their accounts have been hacked and some suspicious orders have been placed. An individual, who identified themselves as Laxmikant Pawar on Twitter, claimed his loyalty points or Coins were utilised to make purchases.
According to independent cybersecurity researcher Rajshekhar Rajaharia, the screenshot alleged to be Flipkart data is the same data that was leaked in late April 2021 after the BigBasket breach. This data has now been repurposed by nefarious players and passed off as Flipkart credentials, Rajaharia told Inc42. He also claimed that Telegram groups selling such data have been seen in the past few days.
Further, the data shown by Medapati is shown as being associated with the BigBasket leak on HaveIBeenPwned.com, a global database and tracker of hacks and data leaks.
In response to our queries on the alleged data leak and the protection being offered to users, a Flipkart spokesperson said, “The Flipkart Group is absolutely focused on maintaining the safety and security of our customer data and have robust information security systems and controls in place to safeguard data. In parallel, to create awareness on fraudulent activities we drive awareness campaigns across various media and social channels, educating customers on best practices for a safe online experience and to keep their accounts safe from unscrupulous cyber elements.”
The company did not directly address our questions about users claiming that their accounts were hacked.
Flipkart’s Major Faux Pas
Cybercriminals have long used data leaks from one platform to attempt to steal user data from other platforms. That’s because most individuals use the same email accounts for their primary online registrations and worryingly, many users use the same password as well. This ’habit’ is exploited by cybercriminals. Rajaharia confirmed that the same approach has been used here. He added that the data shown in Medapati’s screenshot overlaps with the BigBasket data leak.
Rajaharia also called out Flipkart for not using two-factor authentication (2FA), which is ubiquitous in 2021. Amazon India uses 2FA when users log in from new devices, and so do Gmail and other platforms, so Flipkart not supporting it does seem like a major gaffe. A typical example of 2FA is when a person receives an OTP on their mobile number to authenticate logins. The same could also be enabled through email for mobile-less logins. But Flipkart does not support 2FA of any kind.
Flipkart did not respond to our questions about the lack of 2FA support and whether it will be introducing this in the near future.
Will Tech Startups Take Any Responsibility For Data Leaks?
Last year, BigBasket had claimed that the privacy and confidentiality of customers is a priority and it does not store any financial data including credit card numbers. “The only customer data that we maintain are email IDs, phone numbers, order details and addresses so these are the details that could potentially have been accessed. We have a robust information security framework that employs best-in-class resources and technologies to manage our information. We will continue to proactively engage with best-in-class information security experts to strengthen this further,” BigBasket had said.
Rajaharia and others have claimed that by being in denial, these companies are causing more harm than they think. “The same could be said about Mobikwik,” Rajaharia told us, pointing out the massive leak that impacted the fintech startup, which was swiftly denied by the company despite quite a lot of evidence to the contrary.
Such denials are simply not enough from the point of view of consumers and end-users. When systems are compromised in a hyperconnected ecosystem, the ripple effect often is far and wide. This is why data leaks that compromise passwords can be so damaging to the fabric of internet safety. India is still not close to a data protection law as the Personal Data Protection Bill is still to be tabled. With no law to mandate data leak disclosures and regulate the resolution of such incidents, companies get leeway to keep pulling the wool over the eyes of consumers.