April 07, 2021

MobiKwik Suffers Major Breach — KYC Data of 3.5 Million Users got leaked.

Here is what happened

Popular Indian mobile payments service MobiKwik came under fire after 8.2 terabytes (TB) of data belonging to millions of its users began circulating on the dark web for sale.

What got leaked?

The leaked data includes sensitive personal information such as:

  • customer names,
  • hashed passwords,
  • email addresses,
  • residential addresses,
  • GPS locations,
  • list of installed apps,
  • partially-masked credit card numbers,
  • connected bank accounts and associated account numbers, and
  • know your customer (KYC) documents of 3.5 million users.

Even worse, the leak also shows that MobiKwik did not delete the card information from its servers even after a user removed them, which is likely a breach of government regulations.

New guidelines issued by India’s apex banking institution, the Reserve Bank of India, prohibit online merchants, e-commerce websites, and payment aggregators from storing card details of a customer online. The rules are set to come into effect starting July 2021.

MobiKwik’s response to this breach

MobiKwik has continued to deny the allegations, releasing a lengthy statement refuting claims that user data is available on the dark web.

The company says it has robust internal policies and information security protocols and is subjected to stringent compliance measures under its PCI-DSS, CISA, and ISO 27001:2013 certifications. These include annual security audits and quarterly penetration tests to ensure the security of its platform. Under ISO 29147 Responsible Vulnerability Disclosure Program, it has a long-running Bugs Bounty program, where ethical hackers report security issues that are immediately fixed.

Even though Mobikwik has denied this leak, there are several reasons to believe that a breach was made. Several Mobikwik users have claimed on twitter that their data is present in the leaked database with the screenshot of the leaks.

The ongoing battle between the platform and the researcher leaves Mobikwik users with uncertainty and confusion. Even though the matter will be investigated over the next few days, the users are advised to update their Mobikwik account with new passwords. They should also update passwords to email addresses, set up two-factor authentication (2FA), including OTPs and fixed passcodes, wherever possible.

What’s the best security strategy against such focused cyber-attacks?

The number of data breaches in India has been rising over the last two years. In November, BigBasket filed a complaint with the Cyber Crime Cell in Bengaluru to verify claims made by cybersecurity intelligence firm Cybele that a hacker had put up the online grocer’s user data sale on the Dark Web for over $40,000. In May, Edutech startup Unacademy had also disclosed a data breach that compromised the accounts of 22 million users.

According to the national cybersecurity agency, cyber attacks have surged from 53,117 in 2017 to 208,456 in 2018, 394,499 in 2019, and 11,58,208 in 2020.

The cyber-crime landscape is evolving so fast that it’s a matter of time for a hacker to invade and exfiltrate business-sensitive data. If they can’t directly infiltrate the business, they are attacking through third parties.
Traditional security strategies are proving insufficient against targeted attacks.

Sumeru recommends the below steps:

  • Monitor your external attack surface continuously Monitor partners/third-party vendors
  • Regular Threat Hunting activity
  • Continuous Red Team assessment

For over 20 years, Sumeru has been helping businesses to prevent breaches, simulate attacks, monitor security, stay compliant, and get secured with 40+ security offerings.

Reach out to hello@sumerusolutions.com to know more.