In one of India’s worst cases of data breaches, personal information of over 99 million users of the country’s leading fintech platform, called MobiKwik, was leaked online recently.
A phenomenal 8.2 terabytes of data of KYC (Know Your Client) information statutorily required by India’s financial services, spanning online messages, phone passwords, unmasked card numbers, IP addresses, data provided for app installations, and GPS locations, surfaced on the dark web, where the hackers informed they were willing to sell for 1.5 bitcoin, equivalent to $86,000. The data on offer included a total of 350 gigabytes of MySQL Database Service dumps covering 500 databases. MySQL is a fully managed database service to deploy cloud-native applications.
It was India’s well-known security researcher Rajshekhar Rajaharia who exposed the data leak on Twitter. He indicated that these data had been leaked from a MobiKwik server, adding that hackers had had access to the company’s data since January.
Days later, French ethical hacker Robert Baptiste, who goes by the name Elliot Alderson on Twitter, confirmed the leak, crediting Rajaharia for the tip. He hosted a screenshot on his Twitter handle that was of a dark web portal where users could, for a price, extract specific details they wanted from the hacked MobiKwik user base.
In a continuation of his exposes of cyber frauds and breaches occurring in India and abroad, Alderson described the hack as “probably the largest KYC leak in history”. A year ago, he had reported a major deficiency in the Indian government’s Aarogya Setu mobile application that had been developed to trace the spread of Covid-19 among the population.
What consternated the victims further was the casualness with which MobiKwik, which operates one of India’s largest payments networks, with 120 million users, three million merchants and over 300 billers, denied any lapses. In a series of Tweets, it maintained that it was a regulated entity that took security very seriously, and also worked closely with the relevant authorities on this matter. It added that “considering the seriousness of the allegations, (it) will get a third party to conduct a forensic data security audit”.
What also incensed MobiKwik users was its readiness to blame them instead for what had happened. Claiming that all accounts and user information with it were completely safe, the company pointed out: “Some users have reported that their data is visible on the dark web. While we are investigating this, it is entirely possible that any user could have uploaded her/his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the darkweb has been accessed from MobiKwik or any identified source.”
In separate Tweets, it went on to say: “We thoroughly investigated his (Rajaharia’s) allegations and did not find any security lapses. Our user and company data is completely safe and secure. The various sample text files that he has been showcasing prove nothing. Anyone can create such text files to falsely harass any company. Finally, our legal team will be pursuing strict action against this so-called researcher who is trying to malign our brand reputation for ulterior motives.” There were also reports that the data breach had been perpetrated to derail MobiKwik’s plans of an Initial Public Offering (IPO) sometime in September that would have valued the company at more than $1 billion.
In a riposte, several aggrieved users posted screenshots of MobiKwik user data put up for sale on the dark web. In his disclosures on the data leak, Rajaharia also wrote to the Reserve Bank of India, India’s Computer Emergency Response Team (CERT), which handles computer security incidents, Payment Card Industry Data Security Standard (PCI-DSS), and payment technology firms.
Also calling the company out for its reaction was Australian web security consultant Troy Hunt, known for public education and outreach on security topics and for creating haveIbeenpwned.com, a website that allows Internet users to check whether their personal data has been compromised by data breaches. “Never *ever* behave like @MobiKwik has in this thread from 25 days ago. Try Googling ‘mobikwik data breach’ now,” he Tweeted.
Founded in 2009 by Bipin Preet Singh and Upasana Taku, MobiKwik is in the operating businesses of consumer payments, financial services and payment gateway. The company’s brand vision is to enable a billion Indians with one tap access to digital payments, loans, investments and insurance by the year 2022.
It is also targeting to build a Digital Credit Card for 100 million, from the current 20 million pre-approved users. It has raised $110 million in funding from marquee investors, including Sequoia Capital, American Express, Tree Line Asia, MediaTek, GMO Payment Gateway, Cisco Investments, Net1 and Bajaj Finance. “With 60 per cent Indian ownership, MobiKwik is the ‘Truly Indian Payments App’,” it claims.
Initially, a group of hackers calling itself Jordandaven emailed the link of the database to an Indian wire news service and shared the data of Singh and Taku from the database. The hackers maintained they were interested only in wresting money from MobiKwik.
Subsequently, a hacker group on an online forum called Ninja Storm claimed responsibility for the data breach. Its message on the bottom of the screen read: “I have been told that I am single-handedly helping India to make better data regulations and to fine companies if they lose user data like GDPR [General Data Protection Regulation]. Didn’t expect this outcome when we hosted this site.”
A later message mentioned, “All of India is worried about this leak as is it has 99 million users and 3.5 million users’ KYC details. We had very long and deep conversations with some independent security researchers about the consequences if data is leaked or sold and decided we will delete all data from our end as MobiKwik is incompetent in that regard.” It then messaged, “All Mobikwik data deleted on our servers. All users safe,” adding, “We Are Not Ruthless.”
While the cloud blew over as a result, the sheer volume of personal data uploaded on the portal was alarming. The wrangle between the researcher and the platform left the latter’s users confounded and uncertain, even though investigations are on.
Many users chose to secure themselves from further damage by updating their MobiKwik accounts with new passwords. To ascertain whether their data were part of the leak, they were advised to download Tor, which is the free and open-source web browser that helps anonymous browsing of the web. “If nothing shows up, you are safe,” they were informed. “If information pops up, then immediately contact your bank and block your cards.”
Internet Freedom Foundation (IFF), which defends online freedom, privacy and innovation in India, issued a statement backing cyber experts, after MobiKwik threatened legal action against Rajaharia. The statement affirmed: “It must immediately be recalled. Policy reform is needed as cyber security researchers face threats of legal prosecution without legislative protection.”
