3.5 Million or MobiKwik user’s data is on sale on Darknet.
It is the biggest KYC digital data leak.
MobiKwik is an Indian company founded in 2009 that provides a mobile phone based payment system and digital wallet. Customers are using to pay through through an digital wallet that can be used for payments. From July 2020, MobiKwik has 120 million users and 3 million retailers in INDIA.
What data included?
- There are 8TB of data, Such as Passport, Aadhaar card, PAN Cards, Photos, phone numbers, and more KYC details.
- Many of the users confirmed seeing their details leaked on the dark web.
- The hackers are charging 1.5 BTC or $86000 to sell the data as per the current price.
Probably the largest KYC data leak in history. Congrats Mobikwik… pic.twitter.com/qQFgIKloA8
— Elliot Alderson (@fs0c131y) March 29, 2021
In Feb 2021, the security researcher Rajshekhar Rajaharia reported to Mobikwik.
Again!! 11 Crore Indian Cardholder’s Cards Data Including personal details & KYC soft copy(PAN, Aadhar etc) allegedly leaked from a company’s Server in India. 6 TB KYC Data and 350GB compressed mysql dump.@RBI @IndianCERT #InfoSec #dataprotection #Finance pic.twitter.com/yjc7davH3k
— Rajshekhar Rajaharia (@rajaharia) February 26, 2021
Some of the users also reported with screenshot
The MobiKwik leak is real. Here is what the dump had for me. One of those credit cards was valid until a couple weeks ago, and I don’t recall authorising MobiKwik to save it. Companies that lie like 👇 ought to be taken to the cleaners. https://t.co/sptyC1Jz8f pic.twitter.com/c4Uu25OviP
— Kiran Jonnalagadda (@jackerhack) March 29, 2021
MobiKwik replied and denied the leak report.
“A media-crazed so-called security researcher has repeatedly over the last week presented concocted files wasting precious time of our organization while desperately trying to grab media attention.We thoroughly investigated his allegations and did not find any security lapses.
“Our user and company data is completely safe and secure,” as company claimed.
“The various sample text files that he has been showcasing prove nothing. Anyone can create such text files to falsely harass any company.”
Finally, our legal team will be pursuing strict action against this so-called researcher who is trying to malign our brand reputation for ulterior motives” said in tweet.
Troyhunt, who is the founder of haveibeenpwned said,
— Troy Hunt (@troyhunt) March 29, 2021
What Digital Payment App Companies should do?
Companies should follow cybersecurity measures to secure their application from cyber attacks or other digital frauds. They have to keep strong authentication, encrypt mobile communications, time by time patch, and update your Apps. Use security software to detecting and removing cyber threats.