Around 2 crore customers' personal details like names, hashed passwords, phone numbers etc were leaked from online grocery delivery platform BigBasket’s database. This news comes at a time when Tata Sons is very close to acquiring majority stake in the online grocery platform. However, the company claims this leak took place in November 2020 which has resurfaced.
Taking to Twitter, BigBasket stated, "This article / social media post refers to an alleged data breach in Nov-2020 and not something that has happened recently. The reason we know it's not recent is that the article / social media post mentions the release of hashed passwords. We had eliminated all hashed passwords from our system and moved to a secure OTP-based authentication mechanism quite some time back."
The platform further stated the site does not collect or store any sensitive personal data of customers like credit card details. "So customer data continues to be safe and no further action needs to be taken by customers." The leaked data includes users name, phone number, addresses, email IDs, and date of birth among other information.
The data have been leaked by a hacker named ShinyHunters on a well-known cybercrime forum. It is stated that the platform was breached in October 2020 and hackers put out the leaked data on sale.
Co-Founder and CTO of Hudson Rock, Alon Gal had tweeted about this leak recently.
This was confirmed by Troy Hunt's post too. Hunt is a creator of haveibeenpwned.com. This site checks if your email address or password has been compromised in a data breach. While it does inform about the breach, the timeline of the breach is missing.
The company had also filed a police complaint with the Bengaluru Cyber Crime Cell last year to verify cyber intelligence group Cyble's claim on the alleged leak.