Debangana Ghosh reports on an incident involving a claimed Mobikwik breach that this site covered a number of times. The alleged data breach of 3.5 million users at IPO-bound fintech unicorn MobiKwik is under RBI’s scanner. The company has submitted a forensic audit report detailing the data breach, the RBI said in response to a right to information (RTI) petition filed recently. The petitioner sought to know the status and understand the procedure of the investigation. Srinivas Kodali, independent researcher and privacy rights activist who had filed the RTI, told BusinessLine, “The RBI doesn’t care about informing individual customers. If there is a fraud happening due to data breach, the RBI ensures that the banks and payment processors refund that money under a certain limit. They think they are not obligated to inform individuals whose data was affected due to these breaches. And since there are no strict laws, MobiKwik got away without informing customers. MobiKwik also didn’t submit their report to the RBI, until the regulator reached out to them. There has been no independent investigation so far due to lack of data protection laws.” In response, Mobikwik cites the results of the audit they commissioned, which allegedly found no evidence of any breach, but noted some limitations that Mobikwik does not specify in their statement. So they are still denying any breach. Will RBI find otherwise? Read more on BusinessLine.
Mint reports: Payments firm One Mobikwik Systems Ltd on Monday, in its draft IPO prospectus, said that a forensic audit conducted by an independent expert did not reveal any unauthorized access to its customer database in March. The alleged data breach came to light in March after unknown actors claimed they were selling Mobikwik’s data on the dark web and that this included 99 million mail IDs and phone numbers, data of 40 million saved debit and credit cards as well as know-your-customer (KYC) logs of 3.5 million users. The Gurugram-based digital payments firm had denied that it suffered such a data breach. Read more on Mint. While the findings seem to support denials made by Mobikwik in March after a thread on RaidForums claimed to offer their data for sale, the report seems to have included some cautions or qualifications about drawing conclusions: “The report however states certain limitations to the processes undertaken, including virtual walk-through of our systems, not analysing employee devices and that the review was based on logs made available by us and certain non-mandatory logs were not available for the audit.
On March 30, DataBreaches.net posted an update to a controversial data breach that MobiKwik denies (previous coverage can be found here). The controversy subsequently escalated on Twitter when people started complaining that they had found their data in the leaked database and that it corresponded to what they had on file with MobiKwik. In addition to the shock and concern consumers felt about their data being available on the internet, there was anger at MobiKwik for denying responsiblity and for trying to threaten and smear the researcher who had notified them and then pursued responsible disclosure. In what made denial seem like an extreme sport, MobiKwik even went so far as to suggest that their customers may have uploaded all their information to multiple platforms. The researcher, Rajshekhar Rajaharia, provides a more detailed timeline of the controversy on Medium. For his efforts to protect consumers, Rajaharia has been defamed as “media-crazed,” threatened with litigation, and censored by LinkedIn and Twitter based on complaints by MobiKwik. And now DataBreaches.net has been targeted because on March 30, I posted Mobikwik offers master class in how NOT to respond to a breach; researchers scoff, consumers rage. Today, I received an email from this site’s web host. They were forwarding a complaint submitted to CloudFlare from “anonymous,” and they asked me to look at it. So I did. Before I show you what “anonymous” wrote, let me remind everyone what it says on this site’s About page: This site is a combination of news aggregation, investigative reporting, and commentary. You may disagree with my reporting or be offended by my opinions. If you think I’ve erred in my reporting, email and let me know what you think I got wrong. If you don’t like my commentary on a situation or on your handling of an incident, you’re free to send a statement for me to consider posting. If you want to send me legal threats about my reporting or comments, knock yourself out, but don’t be surprised to see me report on your threat, any confidentiality sig blocks you may attach notwithstanding. I have been threatened with lawsuits many times, and to be blunt: there is NOTHING you can threaten me with that will scare me even 1/10th as much as the day both my kids got their driver’s licenses within 15 minutes of each other. Even though I had tweeted to MobiKwik on March 4 to question their claim, they never responded. And even after I emailed MobiKwik to tell them that I didn’t find their denial credible, they never responded. They never reached out to this site after the one boilerplate denial. But today, “Anonymous” complained. You may want to look at the post “Anonymous” is complaining about so you can evaluate how accurate — or inaccurate– their claims are: Reporter: Anonymous Reported URLs: https://www.databreaches.net/mobikwik-offers-master-class-in-how-not-to-respond-to-a-breach-researchers-scoff-consumers-rage/ Logs or Evidence of Abuse: The Blogger Dissent at Databreaches.net is Linking hacked/leaked personal information from Raid Forums on her blog. The sole reason for linking personal information is on the intent to maliciously shame a company so they can admit to being hacked. This is not right for this blog to link personal information just to manipulate, harass and Shame. This was the main part of my response to my web host: I reviewed the post that “anonymous” found objectionable. Their complaint is almost entirely unfounded: 1. There was and is absolutely NO link to RaidForums.com in the post the “anonymous” complainant links to. The forum is mentioned but there is no data on RaidForums linked to at all. 2. There is not even one iota of personal information reproduced or leaked in the post. In fact, the post heavily redacted images to prevent anything from being revealed. That said: 3. I have removed a link to a now defunct portal that allowed consumers to find out what data the company held on them that had been hacked and leaked. Since the company claimed — and claims — that the data were not real data and were not their data anyway, I’m hard-pressed to understand how they can now claim I am leaking their firm’s customers’ personal data, but I have removed the link anyway. But that link to a portal is all that I am willing to remove as there’s no personal info leaked or linked to in the remaining post. They just don’t want to be embarrassed by criticism so they try to chill protected speech. […] Now here’s my response to “Anonymous:” You may have been able to censor Rajaharia on LinkedIn and Twitter, and you will probably keep trying to censor me, but I’d encourage you to learn about the Streisand Effect, and take this caution seriously: I don’t tolerate bullies or people who try to chill protected speech. I *will* fight back. And if I want to characterize your incident response to date as an EPIC FAIL, yes, I can do that, too. Oh look, I just did.
The following post by the original poster/seller appeared on the forum where the MobiKwik data — or what was purported to be MobiKwik data — was offered for sale: Major Update: =========== So, we have received probably 100-150 mails/messages last 24 hours regarding this leak. People praising us for hacking???, people wanting to learn hacking, people asking to block their details from showing in search portal, to lawyers trying to sue company, and as usual security researchers and news reporters asking for more details. We have replied to most people and blocked all the numbers we got in block requests not to show in portal. All of India is worried about this leak as it is 99 million users and 3.5 million users kyc details. We have very long and deep conversations with some independent security researchers about the consequences if data is leaked or sold and decided we will delete all data from our end as Mobikwik is incompetent in that regard. Sadly they are just digging themselves more and we are not as ruthless as all those news reporters whose only aim is to destroy the company and report anything without thinking about consequences and to destroy the company’s IPO. Only Mobikwik company and we have the copy of 8.2 tb data. (They will have more anyway). And as of 10 mins back only mobikwik have it. We deleted all data and 2 backups of all of data from all our servers and small copies of data loaded into server which hosted the infamous onion site. I’ve done this deletion myself and no foul play here. Now all of your data is secure with Mobikwik and no one can misuse it except of course Mobikwik for targeted ads or call which everyone does anyway. We just don’t want to see a company dig themselves deeper and bury themselves in. Guess we all learned some useful life lessons during this past couple of days. Adios. Stats of onion site if you are afraid that someone scraped your data from onion site. Total page views 60k and non bot api calls 240k and bot api calls ~200k. Images on site – 6k out of 33m .jpeg files while all files in data are 36m. So, all the secondary markets who advertise mobikwik data on telegram and all – take them with a pinch of salt. All are rough figures as we didn’t collect these before wiping everything. BTW we also got lotta requests asking to hack Chinese companies. lol. 😂 We currently don’t have resources to do new hacks. But we will dump whatever we already have hacked on Chinese companies just because you all asked. Probably no use for most people. Let’s see. Mail: [redacted]@[redacted] Interesting how they suddenly sound somewhat sympathetic to MobiKwik and criticize some researchers and reporters “whose only aim is to destroy the company and report anything without thinking about consequences and to destroy the company’s IPO.” In a subsequent post they say they didn’t accept any ransom.
Things have rapidly escalated in the wake of Mobikwik’s repeated denials that the digital wallet and payments network firm had a massive breach. As DataBreaches.net reported on Sunday, more than 8 TB of data from the firm had been listed for sale on a popular forum, data that allegedly included KYC (Know Your Customer) data on 3.5 million consumers. And to prove the data were real, the seller created a portal where MobiKwik customers could input their information to see what MobiKwik had on file about them. Despite the samples provided and confirmation by independent researchers that the data were real, MobiKwik gave DataBreaches.net a statement that there had been no breach, repeating a statement it had made on March 4, when it tried to claim that a “media-crazed researcher” had concocted files but that their systems were secure. That “media-crazed researcher” would be Rajshekhar Rajaharia, who has found and reported a number of leaks and vulnerabilities. Raharia has responsibly notified Indian Cert of issues he finds. And in February, he publicly tweeted about MobiKwik (see thread). And he continued to tweet, trying to get MobiKwik to respond responsibly. For his efforts, he has been threatened legally and maligned. For MobiKwik to try to claim that they are secure and this is all concocted by Rajaharia has drawn derision and anger from members of the public as well as security researchers. DataBreaches.net had immediately written back to MobiKwik to tell them that their claim that this was concocted by media-crazed researchers was not credible. DataBreaches.net had previously tweeted (from @Pogowasright account): So to be clear: you are saying that you checked each record in the sample file and none of them correspond to real customer data or details? And you have no concern about the hacker just dumping the whole file, unredacted, because you say it is fake? Is that accurate? — Dissent Doe, PhD (@PogoWasRight) March 4, 2021 MobiKwik had not responded to that tweet. Nor did they ever respond to this site’s email to them on Sunday telling them that their denials were simply not credible. Things really blew up online, however, after well-known French security researcher Baptiste Robert sarcastically congratulated MobiKwik. Robert, or “Elliot Alderson” as he calls himself on Twitter, has a history of highlighting big breaches and leaks in India that Indian entities have tried to desperately deny. In this case, his tweet as @fs0c131y, now removed because it violated Twitter’s rules by linking to private information, had said, “Probably the largest KYC data leak in history. Congrats Mobikwik. And with that, the Twitter floodgates opened. One consumer tweeted: What the fuck is this @MobiKwik @MobiKwikSWAT How the hell are my all the cards that are linked to my mobikwik account are shown to a certain link ? Shut down your services.#shamemobikwik pic.twitter.com/yN7C1SoPHT — Aanjney Bhardwaj (@bhardwaj_anjney) March 29, 2021 What the fuck is this @MobiKwik @MobiKwikSWAT How the hell are my all the cards that are linked to my mobikwik account are shown to a certain link ? Shut down your services.#shamemobikwik pic.twitter.com/yN7C1SoPHT There have been a flood of other confirmations and angry comments by people who also found their data — real data — exposed, while MobiKwik remains quiet and does not admit what appears obvious to the world. Today, the “media-crazed researcher” (and DataBreaches.net suggests that Raj should consider trademarking that), tweeted that he had also reported a bug to MobiKwik that they had immediately addressed — and then they cheated him by not paying him the bug bounty. My 1st March conversation With #Mobikwik after this serious data breach. I also reported a bug. They denied it too and removed that Bug in the next 1 hour. They saved their 1000 rupee bounty by denying it.#InfoSec #DataLeak #GDPR @sanjg2k1 @fs0c131y @troyhunt pic.twitter.com/pP0VRU0vqC — Rajshekhar Rajaharia (@rajaharia) March 30, 2021 People watching this all unfold should keep in mind that MobiKwik has reportedly been planning for an IPO later this year. The very last thing they need or want right now is a massively expensive and embarrassing data breach that would make investors shy away. Is that what is the explanation — are they denying all this in the hopes that investors will not run away? It is never appropriate to falsely accuse researchers of concocting a breach to try to cover one up. It is never appropriate to threaten to sue or criminally charge researchers for exposing your security failures and for trying to get you to be accountable to the public. If MobiKwik genuinely believes that there has been no breach, then let them hire a firm like Mandiant to investigate and agree in advance to make the firm’s findings public (as Accellion recently did following their breach). [Updated: it appears that they have indicated that they will hire a firm to investigate.] Troy Hunt, owner of HaveIBeenPwned, sums this one up nicely: Never *ever* behave like @MobiKwik has in this thread from 25 days ago. Try Googling “mobikwik data breach” now… https://t.co/L5E4xc1ey0 — Troy Hunt (@troyhunt) March 29, 2021 So what should happen now? Well, as a consumer advocate, this blogger would recommend that MobiKwik forget about the funding and IPO right now and do the right thing for the 100 million consumers who trusted them with their data. And as to their threats of “strict legal action:” I and others stand with Rajshekhar Rajaharia. I’ve already been threatened — and actually charged in the past — in India for reporting on their leaks and breaches. Indian entities have for too long failed the public by not using reasonable security and then trying to lie their way out of transparent disclosure and mitigation. Trying to chill the speech of researchers and journalists will not serve the Indian public well. For those who wish to know more, follow @rajaharia on Twitter and support his efforts to demand accountability and transparency. Speak up, people. And if he needs a legal defense fund, pitch in if you can. And for those who […]
UPDATE1: MobiKwik is denying any breach. DataBreaches.net just received a statement from them: “Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure.” That doesn’t explain how the two researchers confirmed the accuracy of data. DataBreaches.net will continue to look into this but at this point the claim should be considered “UNVERIFIED” because of the denial. UPDATE 2: In continuing to look into this, it seems that they were first contacted about a security concern in February, and on March 4, they issued the same denial they just sent to this site. DataBreaches.net thanked them for replying but informed them that their denial is not credible because the second researcher has never sought media attention and they, too, confirmed that data they examined corresponded to real data. Original Post follows: MobiKwik is India’s leading fintech platform, operating businesses in consumer payments, financial services and payment gateway. The vision of the company is – to build a Digital Credit Card for 100 Million Indians. Founded in 2009 by Bipin Preet Singh and Upasana Taku, the company has raised $110M in funding from marquee investors. With 60% Indian ownership, MobiKwik is the Truly Indian Payments App. MobiKwik’s payments network is one of the largest in India with 120 million users, 3 million merchants, and 300+ billers. The company has pre-approved 20 million users for its Digital Credit Card aka Buy Now Pay Later “BNPL” product – MobiKwik ZIP, which is available to users for making payments via the MobiKwik Wallet and the MobiKwik Blue Amex Card. The company ventured into the Wealthtech space with the acquisition of Mumbai-based Clearfunds. The preceding is MobiKwik’s boilerplate for media and press. But right now, they are likely to be getting unwelcome attention after a threat actor has offered up what is alleged to be 8 TB of their data for sale. The listing claims to offer (all spelling and typos as in original listing): 0. Total 350GB mysql dumps – >500 dbs 1. 99 million – mail, phno, passwords, addresses, lots more data, apps installed, ph manf., ip address, gps location 2. 40 million – 10 digit card, month, year, card hash (sha256) 3. lots of dbs with all company data 4. ~7.5 TB of ~3 million Merchant KYC data – passports, adahr cards, pan cards, selfie, store picture proof etc used to get loans on the site – Can be used to raise online loans just like USA leaks but in India. Price: 1.5 BTC. Exclusive. All data deleted on our end after transfer. MM of your choice. [Notes: At today’s rates, 1.5 BTC would be USD $83,576.70 or INR 6,084,067.29. “KYC” is “Know Your Customer” and “MM” refers to a middleman service, often recommended to help prevent scams.] As noted in the forum posting, the seller offered a sample of data as proof. They also offered an onion site portal: Mobikwik India data leak (Biggest KYC data leak ever!) Search your phone number or mail id (or any string) to find all your data stored in Mobikwik servers This database is 8,2 TB and contains 36.099.759 files. Nearly 3,5 million people’s KYC details. Along with 99.224.559 users phone numbers, emails, hashed passwords, addresses, bank accounts & card details etc. DataBreaches.net heard from a researcher in India who had entered their own number and found their data. That researcher reported that the data was accurate. DataBreaches.net also contacted a second researcher and asked them if they could verify the accuracy of data in the dump by comparing it to another leaked database involving Indian citizenry. Using a government database that had leaked, the second researcher pulled a random entry and confirmed that they were able to find the same user with the same information in both databases. The first researcher also provided a redacted screencap of the results of a search on a third individual. In the screencap below, redacted by the first researcher, you can see that MobiKwik appears to be storing GPS location and a list of apps that the user has installed on their phone. DataBreaches.net reached out to MobiKwik’s press contacts to ask for a statement about the forum post offering data for sale, and to inquire what they were doing to alert and protect consumers whose data may be compromised. No response was received by publication time, although that is not surprising given that it is Sunday night there now. This post will be updated if and when a reply is received (see Update at top of post; also see other screencaps provided by Rajshekhar Rajaharia last month on Twitter). More Than Just the Usual Risks? Apart from all the usual concerns about misuse of such detailed personal and financial data, the possibility that the data could be misused to secure online loans in India is especially concerning in light of new reporting by The New York Times that some Indian lending apps have taken to naming and shaming people who took loans because of the pandemic but then fell behind in their ability to repay the loans. According to NYT: These lenders don’t require credit scores or visits to a bank. But they charge high costs over a brief period. They also require access to a borrower’s phone, siphoning up contacts, photos, text messages, even battery percentage. Then they bombard borrowers and their social circles with pleas, threats and sometimes fake legal documents threatening dire consequences for nonpayment. In conservative, tightly knit communities, such loss of honor can be devastating. There have reportedly been at least a few suicides as a result of these high-pressured socially stigmatizing methods. Google has removed about 100 Indian loan apps from its platform, but a MobiKwik breach such as the one being claimed by the threat actor has the potential to put many people at risk, […]
Earlier this week, OpIndia reported: After Facebook and Mobikwik, hackers have claimed to got access to another major tech giant in India. As per two posts by hackers on a hackers’ forum, they have gained access to Tata Communications servers. In the posts, the hackers are offering backdoor entry to anyone who is willing to pay $9000 for the servers. Read more on OpIndia. They posted their story on April 12 and noted that they had reached out to Tata Communications but had not gotten any response — and that they would update if they did. There was no update to that post that day, but there was a significant update the next day. When they heard from Tata, Tata denied having any leak. OpIndia investigated further and the hacker now claimed that access had not been direct, but rather through a third party — which was named at Route Mobile. But Route Mobile has also denied any leak or breach. For more on whether Route Mobile has had any security issue, see this article on NewIndianExpress. Route Mobile is currently investigating the situation with the help of a third-party consultant. The public was further alarmed after reading tweets by Rajshekhar Rajaharia that a firm responsible for generating one-time passwords used for authentication had been compromised: A Hacker was allegedly selling data & access in a company on DarkWeb. It seems, he was having realtime access of our Banks OTPs including @Google @Facebook @WhatsApp @amazon @Apple @Microsoft @signalapp @telegram @Twitter & more globally. Companies, Plz Investigate #InfoSec #GDPR pic.twitter.com/rvxq5LMwks — Rajshekhar Rajaharia (@rajaharia) April 15, 2021 So we have Tata denying a breach and Route Mobile denying but investigating. But if the data up for sale on the dark web is real, it is coming from somewhere and the source of that leak or breach needs to be shut down. As @Rajaharia tweeted about the sale of OTPs: “This is really Scary!! #OTP and #2FA (Two Factor Authentication) was our last hope to protect our Online Transactions and Accounts. Now they are also available for sale.” Update: Rajaharia has kept investigating and posted this subsequently: #OTP Leak Update- There are some chances that data might be old. Found some clues where some changes have been made with dates. Still it’s a part of investigation, as data seems real. Mobile Numbers, Emails are there. How can someone have 10 million+ user’s OTP data? #InfoSec https://t.co/3pmMfBvlDk — Rajshekhar Rajaharia (@rajaharia) April 16, 2021
PTI reports: Retail broking firm Upstox has alerted customers of a security breach that included contact data and KYC details of customers, but assured users that their funds and securities remain safe. The development comes close on the heels of reports of data breaches at organisations like MobiKwik, Facebook and LinkedIn. “On receipt of e-mails claiming unauthorised access into our database, we have appointed a leading international cyber-security firm to investigate possibilities of breach of some KYC data stored in third-party data warehouse systems. This morning, hackers put up a sample of our data on the dark web,” a company spokesperson said in an e-mailed statement. Read more on Indian Express. Upstox has posted an announcement on its site to users. The situation does not appear to be a good one for them, however, as the hacker who posted the sample is a well-known hacker. In listing the data, the hacker listed his offering as “Part 1” of what he will be offering, noting 11 hours ago: We tried to get in touch with Upstox. Unfortunately they still haven’t replied even after 2 weeks, It seems like users’ safety isn’t one of their top priorities. The free samples included user data, 2500 KYC (Know Your Customer) records, and miscellaneous other samples. The same threat actor listed the free samples on a popular Russian-language forum: