BigBasket Data Breach: 20 Million User Records Leaked Online

Data Breach at BigBasket: 20 Million User Records Leaked

A substantial database, reportedly containing information from approximately 20 million BigBasket users, has surfaced on a prominent cybercrime forum. This leak occurred several months after the Indian grocery delivery service initially acknowledged experiencing a data security incident.

Details of the Leaked Data

The compromised database encompasses a wide range of user data. This includes email addresses, phone numbers, residential addresses, encrypted passwords, dates of birth, and records of user interactions with the platform. TechCrunch independently verified the accuracy of details pertaining to several individuals listed within the database, including information belonging to a member of their own staff.

BigBasket's Response

A representative from BigBasket issued the following statement regarding the matter: “The report circulating in articles and on social media concerns a data breach that allegedly took place in November 2020, and is not a recent event. We are confident this is not a current breach because the reports reference the release of hashed passwords. We proactively removed all hashed passwords from our systems and implemented a more secure, OTP-based authentication process some time ago.”

The spokesperson further clarified, “Our platform does not collect or store sensitive financial data, such as credit card details. Therefore, customer data remains secure, and no additional action is required from our customers at this time.”

Further Inquiry and Hacker Claims

TechCrunch has sought further clarification from BigBasket regarding the exposure of personal details – specifically email addresses, physical addresses, and phone numbers – contained within the leaked database.

The alleged database was published by a hacker known as ShinyHunters on a widely-used cybercrime forum over the weekend, making it freely available for download.

Subsequent posts on the forum indicate that at least two individuals claiming to be threat actors have successfully decrypted the hashed passwords and are offering them for sale.

ShinyHunters has not yet responded to requests for comment.

Context of the Tata Group Acquisition

This incident occurs shortly after the Indian conglomerate Tata Group reached an agreement to acquire BigBasket, valuing the startup at over $1.8 billion. The proposed acquisition is currently pending approval from Indian regulatory authorities.

Previous Confirmation of Breach

BigBasket initially confirmed a data breach in November of last year, following reports that hackers had successfully extracted information from 20 million customer accounts.

TechCrunch has also inquired with a BigBasket co-founder regarding whether the company informed its customers about the initial data breach.

This article has been updated to include BigBasket’s official statement.