[BreachExchange] Data of approximately 20 million BigBasket users leaked by hacker ShinyHunters

Destry Winant destry at riskbasedsecurity.com
Tue Apr 27 10:44:34 EDT 2021


https://thetechportal.com/2021/04/26/data-of-approximately-20-million-bigbasket-users-leaked-by-hacker-shinyhunters/

After social media sites, it appears that the data of users of even grocery
delivering and shopping websites is at risk, as a reputed hacker has
allegedly leaked personal data of a whopping 20 million (approximate) users
of popular grocery platform BigBasket, including passwords, on a well-known
hacking platform.

The data leaked comprises of personal information of the users, along with
passwords which have been hashed by making use of the SHA1 algorithm
(which, ironically, was developed by the National Security Agency of the
US), phone numbers, and addresses, among other information, including dates
of birth, and even interactions and chats with the customer service of the
company. As per reports, the members of the forum have already succeeded at
decoding around 2 million passwords from the database. What’s interesting
is that one particular member has claimed that around 700 thousand users on
BigBasket used the word “password” as their password on the site, making it
particularly easy to crack them.

The platform is well reputed in India for allowing users to purchase
groceries and get it delivered to their homes. The database of the users’
personal details was leaked on a free hacker forum, by a well known data
breach supplier, who goes by the name ShinyHunters, claiming to have stolen
it from BigBasket.

We have contacted BigBasket, and will add their response to this piece when
they revert back to us.

This breach comes barely months after the same company also saw another
data breach back in November last year, which too, was allegedly
orchestrated by the same hacker, that is, ShinyHunters. At that time, the
hacker had apparently tried to sell the information on a private platform,
demanding as much as $40,000 for supplying it, as opposed to releasing it
for free on a public site this time around. This seems to be somewhat of a
pattern for ShinyHunters (who is most well known for having been a part of
data breaches at Teespring, Tokopedia, Mathway, Wattpad, Dave, Minted,
Promo, and Chatbooks), as all previous cases of data breach by the hacker
have met the same fate, being released for free online after first being
put up for private sales in return of money.

This breach comes weeks after the company signed a deal with Indian
conglomerate Tata Group, wherein the latter had agreed to buy a majority
stake in BigBasket. The deal entitles Tata Group to take over more than 60%
of the stakes at the startup, increasing its value to reach somewhere
between $1.8 and $2 billion. This deal will result in the company’s
previous stakeholders, including Chinese giant Alibaba group, who
previously owned 30% of the stakes, to be removed from the list of
investors which hold stakes in the startup.

BigBasket has already raised over $750 million through a previous deal with
Tata. The take over proposal is currently pending approval by Indian
regulators, and consequently, the two companies have opted to keep the
details of the deal under wraps.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210427/97c8dc78/attachment.html>


More information about the BreachExchange mailing list