The data of nearly 3.5 million users for mobile wallet and payments app MobiKwik is reported to be on sale on a hacker forum on the dark web. The dataset is around 8.2TB in size and includes details of KYC documents, Aadhaar cards, credit card details, mobile phone numbers linked to MobiKwik wallet, etc.
The claim was first made by independent security researcher Rajshekhar Rajaharia in early March, who has previously highlighted other data leaks as well. However, MobiKwik has categorically denied all claims of any data leak and put out a detailed blog statement.
Rajaharia has, however, found support from others in cyber-security, including French cybersecurity expert Elliot Anderson aka Robert Baptiste, who also posted on Twitter stating the leak appears to be genuine. Australian web security researcher Troy Hunt, creator of ‘haveibeenpawned’ also supported Rajaharia’s findings.
The link is showing KYC or Know Your Customer details for many of the users, and information such as Aadhaar card, signatures, etc can be seen. However, search has currently been disabled on the link. Rajaharia said they have also masked a lot of the data so that threat actors won’t be able to misuse this data and said they had to take down search functionality because bots were being used to scan for the data.
Meanwhile, in a blog post, the company has said that there has been no data leak. In a detailed blog post, the company wrote that it “takes its data security very seriously, and is fully compliant with applicable data security laws.” It also said that “it has a long running Bugs Bounty program, where ethical hackers report security issues which are immediately fixed.”
Regarding the data leak, the company said it is investigating this, adding that “it is entirely possible that any user could have uploaded her/ his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the dark web has been accessed from MobiKwik or any identified source.”
The issue was first reported in early March. At that time, Mobikwik in a series of tweets on Twitter had dismissed all claims and said they would file legal action against Rajaharia, calling him a ‘media-crazed’ researcher.
The company also reiterated that “a thorough investigation with the help of external security experts and did not find any evidence of a breach.” Mobikwik has said it is working “closely working with requisite authorities,” adding it “is confident that security protocols to store sensitive data are robust and have not been breached.” It will also get a third party to conduct a forensic data security audit, as a matter of precaution.
The statement also tries to reassure users that all of their data is safe and all financially sensitive data is encrypted.
“No misuse of your wallet balance, credit card, or debit card is possible without the one-time-password (OTP) that only comes to your mobile number. We strongly recommend that you do not try to open any darkweb/anonymous links as they could jeopardize your own cyber safety,” the company said.