MobiKwik says no data breach even as users share ‘evidence’ on Twitter – Times of India
Almost a month later, MobiKwik has issued another statement and said that the company is investigating this…and it will get a third party to conduct a forensic data security audit.” This development comes after users started to post screenshots of text files revealing user details.
As far as the “so-called security researcher” is concerned, his name is Rajshekhar Rajaharia and he was among the first to notify MobiKwik about the security breach. He claimed that the company did not respond to him initially. He says that it was only after his tweet went viral that the company issued a statement denying the security breach claim on March 4.
Again!! 11 Crore Indian Cardholder’s Cards Data Including personal details & KYC soft copy(PAN, Aadhar etc) alleged… https://t.co/y01YaznT5s
— Rajshekhar Rajaharia (@rajaharia) 1614353807000
What user details may have got leaked
As per the breached data, user details that may have leaked include: name, phone number, hashed passwords, bank account details, address, email ID, photo, Aadhaar data, passport data, other apps installed on the phone and more.
The security researcher’s version of the story
In an interaction with The Times of India–GadgetsNow, Rajaharia said, “On February 25, a hacker on dark web forum (Raid Forum) claimed that he was in possession of all the user data of one of the top 3 fintech startups in India. The hacker did not mention the name of the company. The reason why the hacker did not disclose the name of the company that got breached is because he wanted to make some money. Later he created a group on Discord and started to share details as evidence of the breach. Through his sample data, I guessed it belonged to MobiKwik.”
“When I tried to confirm with the hacker that whether this data actually belonged to MobiKwik or not, he did not confirm and said that the data downloading process was still ongoing. This is when I thought of informing MobiKwik about a potential breach,” he said.
Rajaharia had informed MobiKwik via Twitter and LinkedIn, on March 1, about the possibility of a breach. He did not receive any official response from the company. He claims to have emailed the founder of MobiKwik about the same but there wasn’t any response.
Rajaharia, claimed that after alerting MobiKwik, the hacker through a post said that “he lost link with the company servers and all the data got corrupted”.
“Soon after that MobiKwik removed the email option from signup form so that no one can match leaked emails with its server,” he added.
Later, Rajaharia said that he himself reported a bug in MobiKwik’s platform after a couple of days. “They denied the existence of the bug and fixed it on their end,” he claimed.
His posts on both LinkedIn and Twitter showcasing the bug were deleted by the respective platforms for “violation of policies”. Though it is not clear why both Twitter and LinkedIn took down his posts, one reason could be due to him posting private details of users.
“The team at MobiKwik was so confident that the breached data was only with one hacker that they publicly denied the breach altogether after the hacker said that he lost the data as it got corrupted,” he added.
However, that’s not the case as per Rajaharia and he claims that data of all MobiKwik users is still available and there’s even a search engine made for the same. Through his search engine, anyone can search and get personal details of users.
How the ‘search engine’ fuelled #MobikwikDataBreach trend on Twitter
After the search engine was created, people used it to find personal details of MobiKwik users by searching the database with email ID. Once they got a match, several users claimed that the data was accurate and indeed sourced from MobiKwik. Some of these users shared screenshots of leaked personal details and posted on Twitter. Soon, “#MobikwikDataBreach” started trending on Twitter. This seems to have made the company release a statement.
The Times of India–GadgetsNow independently accessed the search engine and can confirm its existence. This search engine can be accessed only through the Tor browser.
MobiKwik’s latest official statement on the data breach incident
“…Some users have reported that their data is visible on the darkweb. While we are investigating this, it is entirely possible that any user could have uploaded her/ his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the darkweb has been accessed from MobiKwik or any identified source.
When this matter was first reported last month, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach. The company is closely working with requisite authorities, and is confident that security protocols to store sensitive data are robust and have not been breached. Considering the seriousness of the allegations, and by way of abundant caution, it will get a third party to conduct a forensic data security audit.
For our users, we reiterate that all your MobiKwik accounts and balances are completely safe. All financially sensitive data is stored in encrypted form in our databases. No misuse of your wallet balance, credit card or debit card is possible without the one-time-password (OTP) that only comes to your mobile number. We strongly recommend that you do not try to open any dark web/anonymous links as they could jeopardize your own cyber safety.”