In: Threat actor offers to sell 8 TB of MobiKwik’s personal and financial data on almost 100M consumers
UPDATE1: MobiKwik is denying any breach. DataBreaches.net just received a statement from them:
“Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure.”
That doesn’t explain how the two researchers confirmed the accuracy of data. DataBreaches.net will continue to look into this but at this point the claim should be considered “UNVERIFIED” because of the denial.
UPDATE 2: In continuing to look into this, it seems that they were first contacted about a security concern in February, and on March 4, they issued the same denial they just sent to this site. DataBreaches.net thanked them for replying but informed them that their denial is not credible because the second researcher has never sought media attention and they, too, confirmed that data they examined corresponded to real data.
Original Post follows:
MobiKwik is India’s leading fintech platform, operating businesses in consumer payments, financial services and payment gateway. The vision of the company is – to build a Digital Credit Card for 100 Million Indians. Founded in 2009 by Bipin Preet Singh and Upasana Taku, the company has raised $110M in funding from marquee investors. With 60% Indian ownership, MobiKwik is the Truly Indian Payments App.
MobiKwik’s payments network is one of the largest in India with 120 million users, 3 million merchants, and 300+ billers. The company has pre-approved 20 million users for its Digital Credit Card aka Buy Now Pay Later “BNPL” product – MobiKwik ZIP, which is available to users for making payments via the MobiKwik Wallet and the MobiKwik Blue Amex Card. The company ventured into the Wealthtech space with the acquisition of Mumbai-based Clearfunds.
The preceding is MobiKwik’s boilerplate for media and press. But right now, they are likely to be getting unwelcome attention after a threat actor has offered up what is alleged to be 8 TB of their data for sale.
The listing claims to offer (all spelling and typos as in original listing):
[Notes: At today’s rates, 1.5 BTC would be USD $83,576.70 or INR 6,084,067.29. “KYC” is “Know Your Customer” and “MM” refers to a middleman service, often recommended to help prevent scams.]
0. Total 350GB mysql dumps – >500 dbs
1. 99 million – mail, phno, passwords, addresses, lots more data, apps installed, ph manf., ip address, gps location
2. 40 million – 10 digit card, month, year, card hash (sha256)
3. lots of dbs with all company data
4. ~7.5 TB of ~3 million Merchant KYC data – passports, adahr cards, pan cards, selfie, store picture proof etc used to get loans on the site – Can be used to raise online loans just like USA leaks but in India.
Price: 1.5 BTC. Exclusive. All data deleted on our end after transfer. MM of your choice.
As noted in the forum posting, the seller offered a sample of data as proof. They also offered an onion site portal:
Mobikwik India data leak (Biggest KYC data leak ever!)
Search your phone number or mail id (or any string) to find all your data stored in Mobikwik servers
This database is 8,2 TB and contains 36.099.759 files. Nearly 3,5 million people’s KYC details.
Along with 99.224.559 users phone numbers, emails, hashed passwords, addresses, bank accounts & card details etc.
DataBreaches.net heard from a researcher in India who had entered their own number and found their data. That researcher reported that the data was accurate. DataBreaches.net also contacted a second researcher and asked them if they could verify the accuracy of data in the dump by comparing it to another leaked database involving Indian citizenry. Using a government database that had leaked, the second researcher pulled a random entry and confirmed that they were able to find the same user with the same information in both databases.
The first researcher also provided a redacted screencap of the results of a search on a third individual. In the screencap below, redacted by the first researcher, you can see that MobiKwik appears to be storing GPS location and a list of apps that the user has installed on their phone.
DataBreaches.net reached out to MobiKwik’s press contacts to ask for a statement about the forum post offering data for sale, and to inquire what they were doing to alert and protect consumers whose data may be compromised. No response was received by publication time, although that is not surprising given that it is Sunday night there now. This post will be updated if and when a reply is received (see Update at top of post; also see other screencaps provided by Rajshekhar Rajaharia last month on Twitter).
More Than Just the Usual Risks?
Apart from all the usual concerns about misuse of such detailed personal and financial data, the possibility that the data could be misused to secure online loans in India is especially concerning in light of new reporting by The New York Times that some Indian lending apps have taken to naming and shaming people who took loans because of the pandemic but then fell behind in their ability to repay the loans. According to NYT:
These lenders don’t require credit scores or visits to a bank. But they charge high costs over a brief period. They also require access to a borrower’s phone, siphoning up contacts, photos, text messages, even battery percentage.
Then they bombard borrowers and their social circles with pleas, threats and sometimes fake legal documents threatening dire consequences for nonpayment. In conservative, tightly knit communities, such loss of honor can be devastating.
There have reportedly been at least a few suicides as a result of these high-pressured socially stigmatizing methods. Google has removed about 100 Indian loan apps from its platform, but a MobiKwik breach such as the one being claimed by the threat actor has the potential to put many people at risk, especially the 3.5 million people for whom there is reportedly KYC data now compromised.