Threat actor offers to sell 8 TB of MobiKwik’s personal and financial data on almost 100M consumers. MobiKwik is India’s leading fintech platform, operating businesses in consumer payments, financial services and payment gateway.
MobiKwik’s payments network is one of the largest in India with 120 million users, 3 million merchants, and 300+ billers.
MobiKwik came under fire for an alleged data leak that has exposed close to 8.2 terabytes (TB) of data, including know-you-customer (KYC) details, addresses, phone numbers, Aadhaar card, E-mail addresses, Hashed passwords, Debit/Credit Card details, GPS location, Phone model details including IMEI data of its users on the dark web.
The report says data of close to 3.5 million users were at risk. But MobiKwik is denying any breach.
“Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure.”
The listing claims to offer (all spelling and typos as in original listing):
0. Total 350GB mysql dumps – >500 dbs
1. 99 million – mail, phno, passwords, addresses, lots more data, apps installed, ph manf., ip address, gps location
2. 40 million – 10 digit card, month, year, card hash (sha256)
3. lots of dbs with all company data
4. ~7.5 TB of ~3 million Merchant KYC data – passports, adahr cards, pan cards, selfie, store picture proof etc used to get loans on the site – Can be used to raise online loans just like USA leaks but in India.
Price: 1.5 BTC. Exclusive. MM of your choice. ( 1.5 BTC would be USD $83,576.70 or INR 6,084,067.29. “KYC” is “Know Your Customer” and “MM” refers to a middleman service)
The sample of data as proof has the following details: This database is 8,2 TB and contains 36.099.759 files. Nearly 3,5 million people’s KYC details.
Along with 99.224.559 users phone numbers, emails, hashed passwords, addresses, bank accounts & card details etc.
DataBreaches.net heard from a researcher in India who had entered their own number and found their data. That researcher reported that the data was accurate.
DataBreaches.net also contacted a second researcher and asked them if they could verify the accuracy of data in the dump by comparing it to another leaked database involving Indian citizenry. Using a government database that had leaked, the second researcher pulled a random entry and confirmed that they were able to find the same user with the same information in both databases.
The researcher from India provided the details where MobiKwik appears to be storing GPS location and a list of apps that the user has installed on their phone.
The possibility that the data could be misused to secure online loans in India is especially concerning in light of new reporting by The New York Times that some Indian lending apps have taken to naming and shaming people who took loans because of the pandemic but then fell behind in their ability to repay the loans.
According to NYT:
“These lenders don’t require credit scores or visits to a bank. But they charge high costs over a brief period. They also require access to a borrower’s phone, siphoning up contacts, photos, text messages, even battery percentage.”
“Then they bombard borrowers and their social circles with pleas, threats and sometimes fake legal documents threatening dire consequences for nonpayment. In conservative, tightly knit communities, such loss of honor can be devastating.”
A MobiKwik breach is the one being claimed by the threat actor has the potential to put many people at risk, especially the 3.5 million people for whom there is reportedly KYC data now compromised.