Founded in 2009, MobiKwik is India’s leading fintech platform, operating businesses in consumer payments, financial services and payment gateway.
According to MobiKwik, “It is one of the largest in India with 120 million users, 3 million merchants, and 300+ billers. The company has pre-approved 20 million users for its Digital Credit Card aka Buy Now Pay Later “BNPL” product – MobiKwik ZIP, which is available to users for making payments via the MobiKwik Wallet and the MobiKwik Blue Amex Card. The company ventured into the Wealthtech space with the acquisition of Mumbai-based Clearfunds.”
On Monday, MobiKwik suffered that they are under attack after 8.2 Terabyte(TB) of users data began to up for sale on Dark web. It is being called the biggest data leak in Indian history.
The Leaked Data includes:
- Customer Name
- Phone Number
- Hashed Password
- List of Installed app on there phone
- GPS Location
- Bank Details (Account Number, IFSC)
- Masked Credit Card Number
- KYC Documents of 3.5 million users
In recent months, several Indian startups has suffered massive data breaches. Mobikwik joins the list of other high-profile targets, including Big Basket, Unacademy and JusPay.
Even worse, the leak also shows that MobiKwik did not delete the card details even after a user has removed them, in what’s likely a breach of government regulations.
New guidelines issued by the Reserve Bank of India, including the impending payment aggregator and payment gateway guidelines and prohibit online merchants, e-commerce websites, and payment aggregators from storing card details of a customer online. The rules are set to come into effect starting July 2021.
The Forums where the data was leaked is accessible via Tor browser.
It’s not clear how the hacker managed to gain unauthorized access to MobiKwik’s servers, but the hacker said, “it’ll be embarrassing for the company. story for someother time..” (sic)
MobiKwik says that ” Some users have reported that their data is visible on the darkweb. While we are investigating this, it is entirely possible that any user could have uploaded her/ his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the darkweb has been accessed from MobiKwik or any identified source.”
“When this matter was first reported last month, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach. The company is closely working with requisite authorities, and is confident that security protocols to store sensitive data are robust and have not been breached. Considering the seriousness of the allegations, and by way of abundant caution, it will get a third party to conduct a forensic data security audit.”
Here’s how you can check if you data is compromised or not
First thing is you need to do to check. we recommend doing before anything else is to download the Tor browser, you can do so by visiting the link here.
Tor is a free and open-source web browser that helps you anonymously browse the web using a volunteer relay network. This makes it more difficult for people to snoop around on you while you browse.
Now open this link on Tor browser – Breached Database
This is the entire database of the breach that is now online. Disturbingly it also has pictures as proof of Random KYCs in the database. Search for your information using your phone number or email id. If nothing shows up, you are safe and you can breathe a sigh of relief.