Global cryptocurrency exchange and wallet BuyUcoin has rejected information in some media reports which claimed that data of 3.5 lakh customers was compromised. The Delhi-NCR based company clarified that while conducting a routine testing exercise with dummy data, it faced a ‘Low Impact Security Incident’ in which non-sensitive, dummy data of only 200 entries was impacted and not even a single customer was affected during the incident. “We would like to reiterate the fact that only dummy data of 200 entries was impacted which was immediately recovered and secured by our automated security systems,” the company said in a statement.
“We would like to assure our customers that all the transactions on our platform take place in a highly encrypted environment. Our technical team constantly conducts routine security checks to ensure that our customer data is completely secure. We are aware of the high level security threats which exist in today’s world and we continuously upgrade our software and systems to neutralise such malicious and unlawful cyberattacks,” the statement added.
Earlier, media reports had claimed that in a data breach, sensitive data of nearly 3.25 lakh users of BuyUcoin has been exposed on the Dark Web. The data leaked include names, e-mails, mobile numbers, encrypted passwords, user wallet details, order details, bank details, KYC details (PAN number, passport numbers) and deposit history.
According to independent cyber security researcher Rajshekhar Rajaharia, the 6GB file on MongoDB database contains three backup files containing BuyUcoin data.
"This is a serious hack as key financial, banking and KYC details have been leaked on the Dark Web," Rajaharia told IANS and shared some screenshots of the leaked data.
Researchers at cyber security firm Kela Research and Strategy Ltd first discovered the stolen data, linked on the same forum, from Wongnai Media Co Ltd, Tuned Global Pvt Ltd, BuyUcoin, Wappalyzer, Teespring Inc and Bonobos.com, which looks like the handiwork of infamous hacking group ShinyHunters.
"Over this past summer, ShinyHunters was seen publishing leaked data for free, exposing millions of personal records from all over the world," Victoria Kivilevich, threat intelligence analyst at Kela Research, told SiliconANGLE.
"We have seen collaborators of Shiny Hunters selling and leaking other dumps in the recent months."
Founded in July 2016, BuyUcoin is a crypto wallet and exchange platform where merchants and consumers can transact with digital assets like Bitcoin, ethereum, ripple etc.
Based out of Delhi-NCR, the company claims it has over 3.5 lakh customers and has helped them trade in over $500 million to date.
We are on a mission "to bring cryptocurrencies in a million Indian pockets," the company says on its website.
ShinyHunters has also leaked 1.9 million user records stolen from free online photo editing application Pixlr. According to Rajaharia, the hacker is the same who earlier leaked BigBasket and JusPay data in India.
In November last year, one of India's popular online grocery stores BigBasket found that its data of over 20 million users had been hacked and were on sale on the dark web for over $40,000.
"Now, the same hacker group is asking about $10,000 in Bitcoin for the BigBasket database and is also selling the three companies' databases," Rajaharia said.
"There is a strong connection between all these recent data leaks, including BigBasket," he added.
Earlier this month, Bengaluru-based digital payments gateway JusPay said that about 3.5 crore records with masked card data and card fingerprint were compromised by the hacker.
Rajaharia also disclosed that three Indian companies -- e-marketplace ClickIndia, fintech startup for small business owners ChqBook and wedding planning website WedMeGood -- were also hacked possibly by the same hacker.
"Nearly 80 lakh users of ClickIndia (name, email, mobile and other personal details), 10 lakh users of ChqBook (name, email, mobile, full address and other personal details) and 13 lakh users of WedMeGood (name, email, hashed password, other sensitive personal information) were hacked," Rajaharia had revealed.
With IANS inputs