MobiKwik’s user data has reportedly been compromised, and hackers can now search for it using a dedicated search engine. The data breach has been denied by the Gurugram-based digital wallet firm. Independent security researchers, on the other hand, say that the data, which is over 8.2TB in size, has been for sale on the dark web for quite some time. The alleged data breach was first brought to Gadgets 360’s attention in February. The hackers community, which allegedly had months of access to the data, has now made it available via a search engine that indicates some of the leaked data items, such as the names, phone numbers, and email IDs of millions of affected users.
MobiKwik denied any allegations of sensitive data leakage, claiming that it had found no proof of a breach.
“As a controlled agency, the organisation takes data protection extremely seriously and complies entirely with all relevant data security laws. In order to ensure the protection of its website, the organisation is subjected to strict compliance procedures under its PCI-DSS and ISO Certifications, which include regular security audits and quarterly penetration tests,” a MobiKwik spokesperson said in an emailed statement.
Given the severity of the claims, the spokesperson added that the company was closely “working with requisite authorities” on the matter and that it will engage a third party to perform a forensic data protection audit.
The company reiterated to its users that all MobiKwik accounts and balances are absolutely secure, according to the spokesperson.
The data breach was first mentioned to Gadgets 360 by cyber-security researcher Rajshekhar Rajaharia on February 25. He said that over 100 million users’ credit and debit card numbers, names, email addresses, and other personal information had been leaked on the dark web. Apart from textual information, the researcher claims that the hackers group known as “ninja storm” sold know-your-customer (KYC) information such as scanned documents such as Permanent Account Number (PAN) and Aadhar cards, as well as bank statements of over five crore users.
The researcher presented some sample files, which included a table structure as well as a reference to MobiKwik’s payment gateway, Zaakpay.
Gadgets 360 contacted MobiKwik co-founders Bipin Preet Singh and Upasana Taku shortly after receiving the information from the researcher. The executives, on the other hand, remained tight-lipped about the security breach at the time. In addition, an email sent to CERT-In received no response.
MobiKwik publicly denied its involvement in the data breach on March 4 and referred to the researcher as “media-crazed,” without mentioning Rajashekar. The firm also reported that the researcher in question provided “fabricated files” in order to “capture media attention.”
On Monday, however, French security researcher Robert Baptiste, also known on Twitter as Elliot Alderson, revealed the specifics of the suspected data breach. He also released information about a dark Web search engine purportedly developed by a hacker group, as well as some user information.
Several users on social media reported that the search engine helped them locate their personal information.
Gadgets 360, on the other hand, was unable to independently check whether the information provided was linked to the suspected MobiKwik data breach.