Cybersecurity researchers have alleged that a database containing KYC details of nearly 3.5 million users of MobiKwik is up for sale on the dark web.

HackerImage for representation
Atom Data Leak Tuesday, March 30, 2021 - 14:51

Digital wallet and payments company MobiKwik, on Monday, denied claims that sensitive data of millions of its users has been leaked. Independent cybersecurity researchers have alleged that a database containing KYC (know your customer) details of nearly 3.5 million users of MobiKwik is up for sale on the dark web.

First tweeted by independent cybersecurity researcher Rajshekhar Rajaharia and then by French researcher Elliot Alderson on Monday, the alleged breach includes 8.2TB of data containing users' phone numbers, emails, hashed passwords, addresses, bank accounts and card details.

MobiKwik, however, vehemently denied any such breach. "Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organisation as well as members of the media," the company said in a statement.

"We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure," the company added.

MobiKwik said that the various sample text files that the researcher has been showcasing prove nothing, and anyone can create such text files to falsely harass any company. "Finally, our legal team will be pursuing strict action against this so-called researcher who is trying to malign our brand reputation for ulterior motives," the company said. 

Alderson had tweeted: "Probably the largest KYC data leak in history."

Rajaharia had claimed earlier that "11 crore Indian cardholder's cards' data including personal details and KYC soft copy (PAN, Aadhaar, etc) allegedly leaked from the company's server in India".

According to the researchers, the entire database is available for 1.5 Bitcoin (nearly $84,000) on the dark web.

Bipin Preet Singh, CEO of MobiKwik, said that the company is closely working with requisite authorities, and is confident that security protocols to store sensitive data are robust and have not been breached. Considering the seriousness of the allegation, and by way of abundant caution, it will get a third party to conduct a forensic data security audit, he added. 

“We reiterate that all your MobiKwik accounts and balances are completely safe. All financially sensitive data is stored in encrypted form in our databases,” Bipin Preet said. 

Meanwhile, Hasgeek co-founder, Kiran Jonnalagadda tweeted that the MobiKwik data leak is for real and showed a data dump to prove his point. “One of those credit cards was valid until a couple weeks ago, and I don't recall authorising MobiKwik to save it. Companies that lie ought to be taken to the cleaners,” he said.  

Ashwin Mahesh, the founder of Mapunity and co-founder of India Together, tweeted that with the company denying reports of the data breach, it’s not clear what the public is supposed to do. He also pointed to utilities around the country that use MobiKwik for online payments but are keeping quiet.

Several users have also tweeted about the alleged MobiKwik data leak.

The reports surfaced as MobiKwik last week raised $7.2 million in a funding round prior to its listing on the stock exchange, according to regulatory filings with the Ministry of Corporate Affairs. The company is reportedly planning an initial public offering (IPO) around September this year to raise $200-250 million. 

According to Entrackr, MobiKwik's post-money valuation currently stands at $493 million with the latest funding round.

Steps to check if your MobiKwik data has been leaked or not

> First, you need to download the TOR browser. 

> Copy and paste the following link in the browser: http://mobikwikoonux37wauz6oqymshuvebj5u763rutlogc2fb2o3ugcazid.onion/?fbclid=IwAR2WYnx4XcQIHTo6AU97a7s2L-eaUy-M30nHZlfhDwbBD3_ThL4KXPffpfQ

> Now, enter your mobile number and click on Search.

How to protect yourself if your data has been leaked

> To change your account password, you can go to https://www.mobikwik.com/mywallet/settings and click Change Password.

> If you wish to withdraw any remaining balance in your wallet or transfer to your bank account, go to https://www.mobikwik.com/mywallet/balance

> To deregister your UPI account from the website or mobile application, you can go to https://www.mobikwik.com/mywallet/linked-banks

> If you wish to remove any debit or credit cards linked to your account, go to https://www.mobikwik.com/mywallet/cards and click Remove. 

With IANS inputs

Show us some love and support our journalism by becoming a TNM Member - Click here.