[BreachExchange] MobiKwik Suffers Major Breach — KYC Data of 3.5 Million Users Exposed

[Destry Winant]

https://thehackernews.com/2021/03/mobikwik-suffers-major-breach-kyc-data.html

Popular Indian mobile payments service MobiKwik on Monday came under
fire after 8.2 terabytes (TB) of data belonging to millions of its
users began circulating on the dark web in the aftermath of a major
data breach that came to light earlier this month.

The leaked data includes sensitive personal information such as:

customer names,
hashed passwords,
email addresses,
residential addresses,
GPS locations,
list of installed apps,
partially-masked credit card numbers,
connected bank accounts and associated account numbers, and
know your customer (KYC) documents of 3.5 million users.

Even worse, the leak also shows that MobiKwik does not delete the card
information from its servers even after a user has removed them, in
what's likely a breach of government regulations.

New guidelines issued by India's apex banking institution, the Reserve
Bank of India, prohibit online merchants, e-commerce websites, and
payment aggregators from storing card details of a customer online.
The rules are set to come into effect starting July 2021.

As of July 2020, MobiKwik serves 120 million users and 3 million
retailers across the country.

The data leak site, which is accessible via Tor browser and boasts of
36,099,759 records, came online after the digital wallet company
vehemently denied the incident on March 4 following a report by an
independent security researcher Rajshekhar Rajaharia.

"A media-crazed so-called security researcher has repeatedly over the
last week presented concocted files wasting precious time of our
organization while desperately trying to grab media attention,"
MobiKwik tweeted. "We thoroughly investigated his allegations and did
not find any security lapses. The various sample text files that he
has been showcasing prove nothing. Anyone can create such text files
to falsely harass any company."

However, multiple users have confirmed to the contrary, finding their
personal details in the "MobiKwik India data leak" site, lending
credence to the breach.

"Never *ever* behave like @MobiKwik has in this thread from 25 days
ago," Troy Hunt, security researcher and creator of breach
notification tool Have I Been Pwned, said in a tweet, calling out
MobiKwik's handling of the situation.

According to sources close to the incident, the compromise was
originally advertised in a database leaking forum on February 24, with
a hacker claiming access to 6TB data from an unnamed Paytm competitor.

Interestingly, it appears that after Rajaharia disclosed the leak,
outed the company's identity, and warned MobiKwik over email, the firm
simultaneously took measures to stop the hacker from downloading the
data.

"We [...] lost access to main company servers, not surprising
though... Cant download anything new," the hacker said in a forum post
a day later, adding that the partially downloaded data might have been
corrupted.

"We never wanted any money anyway, so not sad. But one of the biggest
hacks of KYC ever shit!!! OR SO WE THOUGHT. :( So, I guess I grow old
saying I used to hack and shit. Rather than actually hacking and shit.
Exciting 1 month though!!!," the hacker said, implying that the breach
dated back to January, echoing Rajaharia's tweets from March 4.

But a month later, in a separate listing on March 27, the hacker
claimed, "we recovered all data and it's up for sale," offering up
what is alleged to be 8TB of their data for 1.5 bitcoin ($85,684.65).

However, in an interesting turn of events, plans to put the data on
sale appear to have been suspended until further notice. "Only sell
this to company after due verification that we are dealing with
company," the hacker said in an update, suggesting an extortion
scheme.

It's not immediately clear how the threat actor managed to gain
unauthorized access to MobiKwik's servers, but the hacker said, "it'll
be embarrassing for the company. story for someother time.." (sic)

When reached for a response, a MobiKwik spokesperson downplayed the
breach, stating that the data shared on the dark web site hasn't been
retrieved from its own servers. The company also said it's working
with relevant authorities to carry out a security audit of its
platform.

"Some users have reported that their data is visible on the dark web.
While we are investigating this, it is entirely possible that any user
could have uploaded her/his information on multiple platforms. Hence,
it is incorrect to suggest that the data available on the dark web has
been accessed from MobiKwik or any identified source."

"As a regulated entity, the company takes its data security very
seriously and is fully compliant with applicable data security laws.
The company is subjected to stringent compliance measures under its
PCI-DSS and ISO Certifications, which includes annual security audits
and quarterly penetration tests to ensure security of its platform. As
soon this matter was reported, the company undertook a thorough
investigation with the help of external security experts and did not
find any evidence of a breach. The company is closely working with
requisite authorities on this matter, and considering the seriousness
of the allegations will get a third party to conduct a forensic data
security audit. For its users, the company reiterates that all
MobiKwik accounts and balances are completely safe."