While several independent cybersecurity researchers have been reporting about a likely data breach of MobiKwik’s servers as early as February, French security researcher Robert Baptiste (Elliot Alderson on Twitter) confirmed the hack on Monday.
The breach includes names, email addresses, list of installedapps, location data, hashed passwords, and partially-masked credit card numbers and photos of KYC documents.
MobiKwik denies breach, says it will do forensic audit
While MobiKwik denied any data breach on Tuesday, it however said in a blogpost: “The company is closely working with requisite authorities, and is confident that security protocols to store sensitive data are robust and have not been breached. Considering the seriousness of the allegations, and by way of abundant caution, it will get a third party to conduct a forensic data security audit.”
It said, “When this matter was first reported last month, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach.”
“Some users have reported that their data is visible on the dark web. While we are investigating this, it is entirely possible that any user could have uploaded her/ his information on multiple platforms,” it added. However users, who claimed they had searched through the leaked data on a site, said they were able to find personal details uniquely saved on MobiKwik in it, tying the breach to the platform. “Some of my data is there. In fact even the accurate date for the creation of my Mobikwik account, in 2013, is there,” Nikhil Pahwa tweeted on Tuesday.
MobiKwik also received flak from Twitter users for shifting blame. Cybersecurity researcher Rajshekhar Rajaharia, who first made public the breach on February 26, told TOI he had written to MobiKwik about the breach on February 24, and also communicated to RBI and CERT-in later in the first week of March but had not heard back. Both correspondences were seen by TOI. “This was likely a breach of their server and users should change their passwords on all websites immediately,” Rajaharia said.
As per Rajaharia, a dark web forum originally advertised the data in February. Rajaharia claims that once he warned MobiKwik over email, the firm must have taken measures to stop the hacker from downloading the data as the hacker then posted saying they lost access to the servers. But, again on March 27, the hackers claimed that they had recovered all data and put it up for sale for 1.5 bitcoin (roughly $86,000).