MobiKwik Hacked! Sensitive Details Of 10 Crore Users Being Sold For Rs 69 Lakh; Company Denies

By Malvika Gurung Last updated Mar 30, 2021

Mobikwik users' sensitive data hacked and up for sale on dark web. — Mobikwik users’ sensitive data hacked and up for sale on dark web.

In what is known to be the ‘largest KYC data leak in history’, the Gurugram-based mobile payments company, Mobikwik’s servers have been breached and a massive data of 8.2 TB in size is leaked on a hacker forum for online sale on the dark web.

Sensitive details of about 3.5 million Mobikwik users have been leaked, in addition to personal and payments data of about 99,224,559 users.

Screenshots of the breach uploaded on the hacker forum have been shared by the French hacker and security researcher Elliot Anderson, along with the Indian cybersecurity researcher Rajshekhar Rajaharia confirming the same, yet Mobikwik has denied any such reports on the data hacked.

mobikwik data breach — Source: Indiatimes

8.2 TB of Mobikwik Users’ Data Hacked

According to TechNadu, independent researcher Rajshekhar Rajaharia has informed that the hacker has set up a dark web portal where one can search by phone number or email ID and get the specific results out of a total of 8.2 TB of data.

11 Crore Indian CardHolders data alleged leaked from @MobiKwik Server, Hacker claimed. It Seems hacker still have their data. Backup was alleged taken on 20Jan 2021. He claim to have mobikwik access since last 30 days. @RBI @IndianCERT Please look into this matter.#InfoSec #GDPR pic.twitter.com/tBS3U6Oqhw
— Rajshekhar Rajaharia (@rajaharia) March 4, 2021

The data breach includes 36,099,759 files, besides the 8.2 TB data compromising 99,224,559 user phone numbers, email, hashed passwords, addresses, bank accounts and card details.

In 2016, Mobikwik started offering small loans to its users, which requires KYC. This means the platform had information about user details like Aadhar Cards, passports, PAN cards, and more.

The hacker has complete access to the entire database of Mobikwik’s KYC users and is willing to sell the entire database to a buyer for 1.5 BTC or $85,000, post which the buyer can obtain everything offline and exclusive.

The seller claims that each of the merchant entries in the database can be used to raise $500-$1,000 loans in Indian currency, so the investment of the 1.5 BTC could supposedly yield up to three billion USD, adds TechNadu.

The Whole Data Pack Up for Sale

The seller has listed the following data sets for the massive breach sale:

Total 350GB MySQL dumps: 500 databases
99 million user information on: mail, phone, passwords, addresses, lots more data, apps installed, ph manf., IP address, GPS location
40 million user information on: 10 digit card, month, year, card hash (sha256)
Approx 7.5 TB of about 3 million Merchant KYC data: passports, Aadhar cards, pan cards, selfie, store picture proof, etc., used to get loans on the site, and
lots of databases with all company data.

When asked about the same to Mobikwik, the company has responded,

“Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure.”