MobiKwik suffers major data breach

According to The Hacker News, 8.2 terabytes of data belonging to millions of its users began circulating on the dark web in the aftermath of a major data breach. The leaked data includes sensitive personal information such as customer names, hashed passwords, email addresses, residential addresses, GPS locations, list of installed apps, partially-masked credit card numbers, connected bank accounts, and KYC documents of 3.5 million users.

Besides, the leak also shows that MobiKwik does not delete the card information from its servers even after a user has removed them. New guidelines issued by India's apex banking institution, the Reserve Bank of India, prohibit online merchants, ecommerce websites, and payment aggregators from storing card details of a customer online. The rules are set to come into effect starting July 2021.

Furthermore, the leaked data, which is accessible via Tor browser and boasts of 36,099,759 records, came online after the digital wallet company vehemently denied the incident on 4 March 2021, following a report by an independent security researcher. However, multiple users have confirmed to the contrary, finding their personal details in the 'MobiKwik India data leak' site. The compromise was originally advertised in a database leaking forum on 24 February, with a hacker claiming access to 6TB data from an unnamed Paytm competitor. 

Moreover, when the company was warned over email, it took measures to stop the hacker from downloading the data. However, a month later, in a separate listing on 27 March 2021, the hacker claimed, that he had recovered all data and it's up for sale, offering up what is alleged to be 8TB of their data for 1.5 bitcoin (USD 85,684.65).

When reached for a response, MobiKwik stated that the data shared on the dark web site hasn't been retrieved from its own servers. The company also said it's working with relevant authorities to carry out a security audit of its platform.