[Update] Security Tracker Retracts Allegations Of 2020 Data Breach At Paytm Mall

Update | July 30, 08:30 PM

The online security tracker in question has retracted its claims.

“An update on this breach: after loading it into @haveibeenpwned, the head of @paytm’s infosec team reached out and we had a chat about the authenticity of the data, which they believe didn’t originate from them. We now collectively believe it’s fabricated”, Have I Been Pwned’s Troy Hunt said.

In a statement sent to Inc42, a Paytm Mall spokesperson said, “The online platform that flagged a data breach of our systems reviewed it and have responsibly retracted its claim. This validates our earlier statement, where we stated that the data breach had no connection with us after conducting thorough investigations. We would like to reassure our users that their data is absolutely safe and protecting their information remains our topmost priority.” 

The allegations were retracted after the online platform shared the data with Paytm Mall. The investigation found that the alleged leaked database included information that the ecommerce platform does not collect. 

The review of the database also flagged other issues. “Further, in the tweet thread above I observed the odd “info@” email addresses. They ran these through their systems and advised “we do not have any of these in any of our customer DB,” tweeted Hunt.

Original Story | Published  On July 27 At 11:35 PM

Paytm Mall allegedly suffered a major data breach in 2020 that affected close to 3.4 Mn customers, according to security tracker Firefox Monitor.

The alleged breach took place on August 30, 2020 and compromised user data such as mobile numbers, email addresses, dates of birth. Other purported confidential information such as gender, geographic location, income level as well as purchase details were also leaked in the data breach. 

“A website data breach happens when cyber criminals steal, copy, or expose personal information from online accounts. It’s usually a result of hackers finding a weak spot in the website’s security. Breaches can also happen when account information gets leaked by accident,” Firefox Monitor said while describing the data breach.

On questions about why it took two years to report the leak, the security tracker said, “It can sometimes take months or years for credentials exposed in a data breach to appear on the dark web. Breaches get added to our database as soon as they have been discovered and verified.”

Meanwhile, Paytm’s ecommerce arm Paytm Mall rubbished the report and said that the data of all its users is safe

“The data of our users is completely safe and claims related to data leak in the year 2020 are completely false and unsubstantiated. A fake dump uploaded on the platform haveibeenpwned.com appears to wrongly alert of a data breach on Firefox. We are in touch with Firefox and the platform to resolve the matter,” Paytm Mall said in a statement.

Terming the reports unsubstantiated, Paytm Mall claimed that the hacker and the cyber-risk intelligence firm Cyble, who had raised the alarm over a possible data breach at Paytm Mall in 2020, had themselves confirmed that there was no breach

Inc42 has reached out to Paytm to know if any other arm of it was affected by the alleged data breach. The story will be updated as and when the fintech major responds. 

In August 2020, Cyble had claimed that the ecommerce arm of Paytm had suffered a data breach. The US-based firm had also alleged that the attackers were demanding ransom in cryptocurrency in exchange for the data.

Later, Paytm slapped a legal notice on Cyble, warning the cybersecurity firm of civil and criminal proceedings. Consequently, Cyble recanted its claim and said that there was no breach.

The development comes at a time when Indian companies are grappling with growing cyberattacks that have raised the alarm over the cybersecurity apparatus within these firms. Earlier this week, fintech player Policybazaar reported that its IT systems had suffered a cyberattack and were subject to illegal and unauthorised access.

Cleartrip also informed its customers this month that it had suffered a data breach that exposed the personal details of some customers. The Securities and Exchange Board of India (SEBI) also lodged an FIR recently over a cyber security incident involving its email system. 

The government recently informed the Parliament that more than 6.74 Lakh cybersecurity incidents were reported in the first six months of 2022.

Update | 28th July, 17:00 IST

The earlier version of the story mentioned Paytm as the entity impacted by the alleged data breach. The same has been edited to Paytm Mall.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.