Online grocery platform BigBasket has faced a potential data breach, compromising personal details about over 20 million of its users, a report by US-based cybersecurity intelligence firm Cyble Inc has said.
"In the course of our routine Dark web monitoring, the Research team at Cyble found the database of Big Basket for sale in a cybercrime market, being sold for over $40,000. The leak contains a database portion; with the table name 'member_member'. The size of the SQL file is ~ 15 GB, containing close to 20 Million user data. More specifically, this includes full names, email IDs, password hashes (potentially hashed OTPs), pin, contact numbers (mobile + phone), full addresses, date of birth, location, and IP addresses of login among many others," Cyble said in the blog post.
The cybersecurity firm has also revealed the names of names and addresses of people exposed to the data leak. It said the financial data of the users is safe.
The stolen data is now being sold for $40,000 on the dark web, the report said, adding that details like names, email IDs, password hashes, PIN, contact numbers, addresses, dates of birth, location, among other details have been stolen by the hackers.
Meanwhile, BigBasket, which is based out of Bengaluru, has lodged a complaint with the city police's cyber cell. The company, in a statement, has said it does not share financial data like credit card details with anyone.
BigBasket said it learned about the hack a few days ago. "We learned about a potential data breach at BigBasket and are evaluating the extent of the breach and authenticity of the claim in consultation with cybersecurity experts and finding immediate ways to contain it."
"The customer data we maintain are email IDs, phone numbers, order details and addresses so there are details that could potentially have been accessed. We have a robust information security framework that employs best-in-class resources and technologies to manage our information," the company said in a statement.
The company said it'll continue to proactively engage with best-in-class information security experts to strengthen this further. Notably, when customers do online shopping details like debit and credit card details are stored with the company website to smoothen functioning in future.
Cyble, in its blog post, said the breach happened on October 31, and informed BigBasket about the possible data breach on November 1.
Data breach incidents have been on the rise in India. This year alone, two major companies, Dr Reddy's Laboratories and Facebook-backed Unacademy, have been victims of cyberattacks. In May, data of around 20 million users of Unacademy was leaked and put up on dark web for sale.
Pharma major Dr Reddy's had to shut down all its production facilities across the world after a data breach was reported in its servers on October 22. This comes just days after the pharmaceutical giant received the approval from the Drugs Controller General of India to conduct the phase 2/3 trials of the Russian vaccine in India.