Data security laws in India have always been something of a laughing stock. This has been validated in the latest alleged data breach at Mobikwik, where around 3.5 million people, including credit and debit card details and other critical information, were leaked.
In what possibly could be the biggest KYC data leak in history, all this data is up for sale over the Dark Web. There’s even an onion link where anyone can log on and check if their data has been compromised.
The alleged database is around 8.2 terabytes in size, containing 36,099,759 files which amount to around 3.5 million people’s KYC details. This includes 99,224,559 user’s phone numbers, emails, hashed passwords, addresses, bank details and a bunch of other sensitive data.
The initial breach report
Following this, he again tweeted on the 4th of March, claiming that the data of about 11 crore Indian cardholders has been leaked from a Mobikwik server. Rajaharia reported that the hacker took the data dump on 20 Jan 2021 and had claimed to have access to Mobikwik servers for the last 30 days.
He posted screenshots of his conversation with Mobikwik on the 1st of March, where they denied the breach and removed the mentioned bug in the following hour.
The issue came under fire when French ethical hacker Robert Baptise, who goes on Twitter as Elliot Alderson, also posted about the issue. However, Twitter took action and removed his tweet, citing reasons regarding personal information. Elliot posted a screenshot of the email he received on his Twitter profile.
Mobikwik’s response to Rajaharia’s tweet was an indirect jab at him claiming that some ‘media-crazed so-called security researcher’ has presented ‘concocted’ files and wasted the organisation’s precious time. They reassured customers that no leak was found and their data was safe.
The company has been silent on the issue, only responding in detail. In the face of overwhelming proof that the data leak might’ve actually originated from their end, it remains to be seen how they’ll tackle the situation.
Candid.Technology reached out to Mobikwik for a comment and their spokesperson’s response wasn’t exactly reassuring.
“As a regulated entity, the company takes its data security very seriously and is fully compliant with applicable data security laws. The company is subjected to stringent compliance measures under its PCI-DSS and ISO Certifications which, includes annual security audits and quarterly penetration tests to ensure security of its platform. As soon this matter was reported, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach. The company is closely working with requisite authorities on this matter, and considering the seriousness of the allegations will get a third party to conduct a forensic data security audit. For its users, the company reiterates that all MobiKwik accounts and balances are completely safe.”
Various news outlets have covered the news in the past 24 hours with varying depths to their reports.
The fact remains the same. Each report says that there is, in fact, concrete proof of a data leak containing sensitive information of around 10-11 crore Indian users sitting live in a dark web site. The hacker is reportedly selling this data for 1.5 bitcoins, which is not a lot of money for such an enormous data dump.
Mobikwik also released a detailed blog post on the issue dated the 30th March 2021. They said it was ‘incorrect to suggest that the data available on the dark web has been accessed from MobiKwik or any identified source.’
They’ve also put out a tweet linking the aforementioned blog post to reassure users of their data’s safety.
Latest update from the breach
At the time of writing, the APIs in question are down as the attackers implement captchas on the site to prevent bots from mining the data and tackle the heavy traffic they’re getting.
The attackers also seem to be determined to prove to Mobikwik that the data leak is, in fact, real, as they’ve mentioned on the site itself.
Our personal investigation
We took a look at the source code behind the dark web site in question and found the APIs being used to fetch data from the database. It seems like either the attackers somehow gained access to Mobikwik’s internal API or have made one of their own to protect their source.
However, seeing the latest developments on the data dump page, the attackers seem to be well in control of the APIs and the database, indicating that they might have complete control over the information they’re holding.
We were also able to extract the direct links for fetching data from the APIs. At the time of our investigation, string search functionality on the API was down due to heavy traffic, so we could only look up phone numbers, but that was enough.
An email address was embedded in the site footer’s code that you could contact to get access to the entire database. We tried reaching out but were denied any response.