SUMMARY
Personal data of over 7 lakh users has allegedly been leaked on the dark web, where it’s available for sale for $350
According to independent cybersecurity researcher Sourajeet Majumder, the leaked data includes users’ usernames, passwords, phone numbers, email addresses and their city and state of residence
Worryingly, the leaked passwords are in plain text, allowing Sourajeet to verify that the leaked details are genuine for a sample of 40 accounts whose details have been leaked
Network18-owned financial portal Moneycontrol, which has reported extensively about data breaches affecting companies such as Upstox and Mobikwik, seems to have suffered the same fate, as personal data of over 7 lakh users has allegedly been leaked on the dark web, where it’s available for sale for $350.
Worryingly, passwords stored in plain text have also been leaked, which prompted the company to reset the passwords of some users.
According to independent cybersecurity researcher Sourajeet Majumder, the leaked data includes users’ usernames, plain-text passwords, phone numbers, email addresses and their city and state of residence. Since the passwords are in plain text, anyone with access to the sample of 40 accounts released by the hackers can verify that the leaked details are genuine, Majumder told us and said that he has himself verified many of the leaked accounts.
Inc42 also verified the leaked data to be genuine for a few users. It is worth noting that some of the affected users are those who have subscribed to Moneycontrol’s paid subscription service Moneycontrol Pro.
The leaked database, a screenshot of which has been shared by Majumder on Twitter, contains details of 7,73,000 Moneycontrol users. However, hackers behind the data leak have claimed to be possessing details of 40 Mn users on the website.
Majumder has claimed that just a day after he made news of the data leak public on Twitter, Moneycontrol sent an email to some users, informing them that their password had been reset as it didn’t comply with the platform’s updated policy. But Majumder has claimed that Moneycontrol hasn’t updated its password policy in years.
Majumder has learnt from the hackers that they were able to hack the details of the website’s users through a blind SQL injection that asks the database true or false questions and determines the answer based on the application’s response.
Inc42 first got word of this data leak through cybersecurity researcher Rajshekhar Rajaharia, who had spotted the leaked database uploaded on MediaFire in February. Days later, the file was removed by e-Eighteen.com Limited, which owns Moneycontrol and is a subsidiary of Reliance-owned Network18.
Responding to Majumder’s claims, Pandurang Nayak, chief technology officer for Digital at Network18, wrote on Twitter that the leaked data was old. “Information pertaining to current users is absolutely safe. The organisation takes its responsibility towards information security very seriously,” he added.
“The best systems and protocols are in place to prevent data breaches. We review our systems periodically and constantly work to improve the security of our information based on feedback received.”
Moneycontrol didn’t respond to our queries about the data breach by the time of publication. The online financial portal claims to have 17 Mn monthly visitors.
The Moneycontrol data leak comes days after online discount broking platform Upstox suffered a data breach that allegedly affected 2.5 Mn users. And last month, fintech startup Mobikwik denied claims about a data breach impacting 100 Mn users. Data breaches that affected global tech giants Facebook and LinkedIn have also made the news in recent weeks.
A report by IBM’s ‘Cost of a Data Breach Report 2020’ states that Indian companies witnessed an average $2 Mn total cost of a data breach in 2020, representing an increase of 9.4% from 2019. A total of over 26,100 Indian websites were hacked last year as per the data recorded by the state-owned Indian Computer Emergency Response Team (CERT-In).
