What has happened?
- Payment app Mobiwik came under the scanner on Monday after a security researcher claimed that the data of 3.5 million users were put up for sale on the dark web.
- The researcher claimed that the sensitive information of 3.5 million users that was put on the dark web for sale includes KYC details, addresses, phone numbers, Aadhar card data and other details of the users.
- Several users had reportedly spotted their personal details on the dark web link that is being circulated on the internet.
About the data leak
- It all began late last month, when security research Rajshekhar Rajaharia exposed the data leak on Twitter.
- The researcher said data of 11 crore Indians, which included information from KYC (Know-Your-Customer) forms, unmasked card numbers and other personal details, had been leaked from a Mobikwik server.
- The researcher named Mobikwik in a series of tweets, adding that hacker(s) had access to the company’s data since January 2021.
- However, Mobikwik denied the leak via a tweet on March 4.
- This though, may have been false, as other security researchers started jumping in with their thoughts.
- On March 29, prolific security researcher Robert Baptiste (who goes by Elliot Alderson on Twitter) confirmed the leak, crediting a third security researcher for the tip.
- Alderson said this was probably the “largest KYC leak in history”.
Response from Mobikwik
- Mobikwik CEO Bipin Preet Singh has issued a statement on the alleged data breach involving Mobikwik.
- He said, “Some users have reported that their data is visible on the dark web. While we are investigating this. it is entirely possible that any user could have uploaded his information on multiple platforms.
- it is incorrect to suggest that the data available on the dark web has been accessed from MobiKwik or any identified source.”
What kind of data?
- Over 8 terabytes (TB) worth of personal user information such as email ids, phone numbers, names, addresses, passwords, GPS locations, and data related to users’ mobile devices was taken,
- From Mobikwik’s main server by a hacker named ‘Jordan Daven’ and put on dark-web forums on January 20, Rajaharia said.
- “Regular keys and passwords should have been changed and logs should have been monitored to prevent this kind of security compromise,” he said.
- Independent researcher Avinash Jain said,
- “It seems the attacker got hold of their cloud infrastructure and was able to access data stores where this information was stored.”
- Jain added that data breaches are on the rise and that Indian startups need to take the security of their users’ data more
Data breach on rise
- In recent months, several Indian startups have suffered massive data breaches.
- Mobikwik joins a list of other high-profile targets, including grocery e-tailer Big Basket and payment aggregator JusPay.
- The Reserve Bank of India is learnt to be monitoring these security breaches and has introduced several new rules,
- Including the impending payment aggregator and payment gateway guidelines, which would restrict the exposure of customer data to a few servers of licensed gateways.
Q) Which among the following monitors users activity on internet and transmit that information in the background to someone else?
- None of the above