Payment app Mobiwik came under the radar on Monday, March 30, after a security researcher claimed that data of 3.5 million users was put up for sale on the dark web, reported India Today.
The researcher alleged that sensitive data including KYC details, addresses, phone numbers, Aadhar card data and other details of 3.5 million users was put on the dark web for sale. Several users allegedly found their personal details on the dark web link that has been widely shared on the internet.
In a statement on the alleged data breach, Mobikwik CEO Bipin Preet Singh said, "Some users have reported that their data is visible on the dark web. While we are investigating this. it is entirely possible that any user could have uploaded his information on multiple platforms. Hence. it is incorrect to suggest that the data available on the dark web has been accessed from MobiKwik or any identified source."
"When this matter was first reported last month, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach. The company is closely working with requisite authorities and is confident that security protocols to store sensitive data are robust and have not been breached. Considering the seriousness of the allegations. and by way of abundant caution, it will get a third party to conduct a forensic data security audit. For our users. ve reiterate that all your MobiKwik accounts and balances are completely safe. All financially sensitive data is stored in encrypted form in our databases. No misuse of your wallet balance, credit card, or debit card is possible without the one-time-password (OTP) that only comes to your mobile number. We strongly recommend that you do not try to open any dark web anonymous links as they could jeopardize your own cyber safety. We are committed to a safe and secure Digital India," the elaborate statement read.
The company's clarification, however, does not match with the claims made by users who found their personal details on the dark web.
The data breach was first detected by security researcher Rajshekhar Rajaharia in February 2021.
"11 Crore Indian Cardholder's Cards Data Including personal details & KYC soft copy(PAN, Aadhar etc) allegedly leaked from a company's Server in India. 6 TB KYC Data and 350GB compressed mysql dump," the researcher had said.
The screenshots of the Mobiwik breach were posted on Twitter by another security researcher who goes by the name Elliot Alderson. He called it the "largest KYC data leak in history".
According to a report by TechNadu, email ids, phone numbers, passwords apps installed, phone manufacturer, IP address, GPS locations, and other details of users were leaked. The report also revealed that the alleged seller has set up a dark web portal "where one can search by phone number or email ID and get the specific results out of a total of 8.2 TB of data."
The company had denied allegations made by Rajshekhar in February. However, on Monday, a link from the dark web was reportedly seen online where users claimed to see their personal details on the dark web. As per reports, data was being sold for 1.5 bitcoin or about $86,000.
"Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure," a company spokesperson said.