MobiKwik breach: Hacker calls it the largest KYC data leak

Nachiket Mhatre
·2-min read


MobiKwik breach: Hacker calls it the largest KYC data leak
MobiKwik breach: Hacker calls it the largest KYC data leak

30 Mar 2021: MobiKwik breach: Hacker calls it the largest KYC data leak

In what could be one of the largest KYC data leaks in history, personal data of more than 10 crore MobiKwik users has been compromised. Independent security researcher Rajshekhar Rajaharia claimed that the user data is on sale on the darknet.

Rajaharia's claim was also backed by French cybersecurity expert Robert Baptiste, who is better known by his famous pseudonym Elliot Anderson.

Digital ransom: Unknown hacker put MobiKwik's users data for sale on darknet

In February, Rajaharia had claimed that an unknown hacker was selling MobiKwik's users data on the darknet, such as credit/debit card details, phone numbers, and Aadhaar as well as PAN numbers, in addition to other personally identifiable details.

Rajaharia claims to have found the personal details of several high-profile Indian tech founders within the leaked data dump on the darknet totaling to 350GB.

Categorical denial: MobiKwik denies breach; Claims thorough investigation doesn't reveal data compromise

Meanwhile, MobiKwik has denied Rajaharia's data breach claim. The company contends that the personal information belonging to its clients is safe and it has ensured the same following a thorough investigation.

It also alleged that it receives several such claims, but they turn out to be fake data dumps. It isn't uncommon for high-profile corporations to receive such dubious data ransom claims.

Fact: MobiKwik representative categorically denies the breach

"Some security researchers have repeatedly attempted to present concocted files wasting precious time of our organization. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure," said a MobiKwik spokesman to Deccan Herald.

Data blackmail: Cybercriminal calls MobiKwik's bluff, adds search feature letting victims self-verify

However, savvy cybercriminals anticipate companies using this tactic. The unknown seller of MobiKwik's users data has countered by incorporating a search bar that allows verification.

Those who can log onto the darknet and find the data dump can type in their registered email IDs in the search bar to check if their data has been compromised or not.

Data blackmail: Hacker demands 1.5 Bitcoins; Promises to delete all user data

The darknet seller has reportedly demanded 1.5 Bitcoins from MobiKwik, which is worth more than $86,000 at the moment, following which he promises to delete all data.

In addition to the aforementioned personal data, the MobiKwik data dump on the darknet also has selfies and store picture proof of more than 30 lakh merchants registered with the platform.