3.5 million MobiKwik users' data up for sale, company denies claim

Payment app MobiKwik on Monday came under fire for an alleged data leak that has exposed close to 8.2 terabytes (TB) of data, including know-you-customer (KYC) details, addresses, phone numbers, Aadhaar card data of its users on the dark web. 

According to reports, data of close to 3.5 million users was at risk.

The company, however, denied the breach. 

The leak was first reported in February by security researcher Rajshekhar Rajaharia, which the company had denied at the time.

However, on Monday, a link from the dark web began circulating online, and several users confirmed seeing their personal details in it. 

Many people also posted screenshots of the alleged MobiKwik user data, which, according to sources, was up for sale for 1.5 bitcoin or about $86,000. 

While the passwords were encrypted on masked in the data, the other personal details were not. 

“Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organisation as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure,” a MobiKwik spokesperson said. 

The researcher, Rajaharia, had tweeted details of the leak on February 26: “11 crore Indian cardholders’ card data, including personal details and KYC soft copy (PAN, Aadhar, etc) allegedly leaked from a company’s server in India. 6 TB of KYC data and 350 GB of compressed mysql dump”. 

He followed his tweets by subsequently naming MobiKwik, which, he said, had removed an old post about a previous data breach from 2010. 

MobiKwik said the blog post was never removed and continues to be up.

French hacker Robert Baptiste, who goes by the pseudonym Elliot Alderson on Twitter, also tweeted on Monday, “Probably the largest KYC data leak in history. Congrats Mobikwik...”, and posted a screenshot of the leaked data. 

If the breach has indeed occurred, there is very little users can do except demand accountability from the company, said a security researcher who did not wish to be named. 

“Given the large data set, there is a big chance that scammers will be able to scam people and sound more authentic. Even though the passwords seem encrypted in the data, all the other details like PAN card, Aadhaar card etc have not been masked. This makes anyone listed in the database vulnerable to fraud. The details include phone number and email IDs too, so it gives scammers an easy way to reach out to the users,” said independent security researcher Indrajeet Bhuyan. 

MobiKwik had last week raised $7.2 million in a funding round prior to the listing on the stock exchange. 

According to Entrackr, Mobikwik’s post-money valuation currently stands at $493 million with the latest funding round.