Personal data of nearly 3.5 million (35 lakh) users of digital wallet company MobiKwik was allegedly leaked, independent security researchers claimed on Monday. The data is reportedly available for purchase on dark web, according to The Business Line.

French cybersecurity researcher Elliot Alderson on Monday flagged the security breach. “Probably the largest KYC [know-your-customer] data leak in history,” Alderson tweeted, along with a screenshot of the database containing information of the users’ personal data. “Congrats Mobikwik...”

The screenshot showed that people can search the database using their phone number or email address to find all information stored in the servers of the digital wallet company. “This database in 8.2 TB [terabyte] and contains 36,099,759 files,” the screenshot said. “Nearly 3.5 million people’s KYC details. Along with 99,224,559 user phone numbers, emails, hashed passwords, addresses, bank accounts and card details etc.”

The data breach was originally flagged in February by internet security researcher Rajshekhar Rajaharia. “11 crore Indian cardholder’s cards data including personal details and KYC soft copy (PAN, Aadhar etc) allegedly leaked from a company’s server in India,” he said in a series of tweets. “6 TB KYC data and 350 GB [gigabyte] compressed MySQL [open-source relational database management system] dump.”

Rajaharia claimed that the breach has happened twice this year. He added that the hacker had access to MobiKwik’s server since January and said that the Reserve Bank of India should investigate the matter. Mobikwik had then denied the claims, according to India Today.

The security researcher again brought up the matter on March 4. “11 crore Indian card holders data alleged leaked from MobiKwik Server, hacker claimed,” he tweeted. “It seems hacker still have their data. Backup was alleged taken on 20 January 2021. He claim to have Mobikwik access since last 30 days. Reserve Bank of India and Indian Computer Emergency Response Team, please look into this matter.”

The Indian Computer Emergency Response Team is a part of the Ministry of Electronics and Information Technology.

Following Rajaharia’s March 4 claims, MobiKwik again denied the claims. “A media-crazed so-called security researcher has repeatedly over the last week presented concocted files wasting precious time of our organization while desperately trying to grab media attention,” the company tweeted. “We thoroughly investigated his allegations and did not find any security lapses.”

The digital wallet company claimed that the user and company data was secure. “The various sample text files that he has been showcasing prove nothing,” it said. “Anyone can create such text files to falsely harass any company.”

The company said that its legal team will take action against “this so-called researcher” who was trying to malign the brand for ulterior motives.

Also read:
Meet ‘Elliot Alderson’ – the vigilante hacker taking down UIDAI, one tweet at a time

Rise in data breach cases

There has been a rise in the number of data breaches in India in past few years. According to the national cybersecurity agency, cyberattacks have increased from 53,117 in 2017 to 2,08,456 in 2018, 3,94,499 in 2019 and 11,58,208 in 2020.

In November last year, online grocery platform BigBasket had filed a police complaint in Bengaluru after facing a potential data breach, with details of around 2 crore users leaked. According to the United States-based cybersecurity intelligence firm Cyble, a hacker has allegedly put the data on sale for around Rs 30 lakh.

In May, educational technology company Unacademy had also disclosed a data breach that compromised the accounts of 22 million (2.2 crore) users.