Independent cybersecurity researchers have claimed that a database containing KYC details of nearly 3.5 million users of MobiKwik, a digital wallet and payments company, is up for sale on the Dark Web.
The information about the "breach" was first reported by TechNadu, which cited the work of an independent researcher Rajshekhar Rajaharia. On February 26, Rajaharia had taken to Twitter and said, "Again!! 11 Crore Indian Cardholder's Cards Data Including personal details & KYC soft copy(PAN, Aadhar etc) allegedly leaked from a company's Server in India. 6 TB KYC Data and 350GB compressed mysql dump."
He alleged that the "breach" hasn't happened for the first time and urged the Reserve Bank of India (RBI) to investigate the issue. "This happened 2nd time this year. Hacker claiming that he was having access in company's server since Jan 2021 to till today. They also posted some DB structures with sample. Hope someone will take responsablity for this breach. @RBI should investigate this issue," he added.
According to Moneycontrol, the massive breach includes 36,099,759 files. "Apart from this, the 8.2 TB data comprises 99,224,559 user phone numbers, email, hashed passwords, addresses, bank accounts and card details," the report added. According to the researchers, the entire database is available for 1.5 Bitcoin (nearly $84,000) on the Dark Web.
French ethical hacker and security researcher Robert Baptiste, who goes by the name Elliot Alderson, also tweeted about the alleged data breach on Monday. "Probably the largest KYC data leak in history. Congrats Mobikwik...," he wrote.
Meanwhile, MobiKwik has vehemently denied these allegations. "Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organisation as well as members of the media," the company said in a statement.
"We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure," the company added.