MobiKwik Investigates Potential Data Breach

MobiKwik announced on Tuesday that it is currently investigating allegations concerning a data breach. These claims surfaced after a website asserted it had exposed the private information of approximately 100 million users of the Indian mobile payments company.

Data Breach Claims and Details

Reports emerged over the weekend indicating that a site operating on the dark web possessed 8.2 terabytes of MobiKwik user data. This data reportedly encompasses phone numbers, email addresses, hashed passwords, transaction records, and partially masked payment card details.

The website further alleges the possession of “know your customer” (KYC) documentation – specifically, government-issued Aadhaar cards or PAN IDs – belonging to 3.5 million users. Each access to the site reportedly displays four randomly selected images extracted from the compromised data.

KYC Requirements in India

In India, KYC documents are essential for users seeking unrestricted access to certain services. Regulations mandate that mobile wallet companies enable monthly transactions exceeding predefined limits, necessitating KYC verification.

Verification of the Breach

The dark web site provides a searchable database, allowing individuals to input their phone number or email address to assess the validity of the data breach claims. TechCrunch successfully confirmed the accuracy of the data in multiple instances.

Database Sale on Cybercrime Forum

A seller on a recognized cybercrime forum is reportedly offering access to the database for 1.2 bitcoin, which is currently valued at around $70,000.

MobiKwik's Response

MobiKwik, which is backed by Sequoia Capital India, maintains that it has not yet been able to confirm whether the data genuinely originates from its user base. The company stated in a blog post that claims of data originating from MobiKwik or any identified source are inaccurate.

Prior Security Alert

Rajshekhar Rajaharia, a security researcher, informed TechCrunch that he alerted MobiKwik to this potential security breach last month. MobiKwik responded with a statement asserting a thorough investigation revealed no evidence of a breach.

Internal Communication Leak

However, a leaked screenshot obtained by TechCrunch reveals a MobiKwik official requesting logs from Amazon concerning its cloud service. This request followed the startup’s discovery that its S3 cloud storage data had been downloaded by an unauthorized external party.

Legal Threats and Researcher Response

MobiKwik indicated its legal team will pursue “strict action” against the security researcher. Rajaharia countered by stating that users have a right to know if their financial data is secure and that he lacks the resources for protracted legal battles.

Ongoing Investigation and Security Measures

MobiKwik affirmed its close collaboration with relevant authorities and expressed confidence in the robustness of its security protocols for storing sensitive data. The company is also commissioning a third-party forensic data security audit. “We are committed to a safe and secure Digital India,” MobiKwik stated.