Payment app MobiKwik has courted controversy after allegations of an online data leak, comprising details such as Aadhaar details, phone numbers, addresses and KYC details, surfaced on social media. As per allegations, the details of around 3.5 million users are at risk after 8.2 terabytes of data about homegrown financial platform were leaked on the dark web. MobiKwik has come up with a statement, denying the data breach.
The data breach came to light after some MobiKwik users posted screenshots of their financial and KYC details on social media. The dark web link containing these financial details was up for sale for 1.5 bitcoin or $86,000, Business Standard reported. All the details, including Aadhaar, KYC, and address, were visible to anyone, except the password.
Meanwhile, MobiKwik has said it has found no such security lapses on its part. "Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organisation as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure," a MobiKwik spokesperson said.
Rajshekhar Rajaharia, self-proclaimed internet security researcher, posted a series of tweets claiming data of 11 crore Indians is up for sale. "11 Crore Indian cardholders data alleged leaked from @MobiKwik server, the hacker claimed. It seems hacker still have their data. The backup was allegedly taken on 20 Jan 2021. He claims to have MobiKwik access for the last 30 days. @RBI @IndianCERT Please look into this matter," he tweeted on March 4, along with screenshots of the financial details of some users.
Again!! 11 Crore Indian Cardholder's Cards Data Including personal details & KYC soft copy(PAN, Aadhar etc) allegedly leaked from a company's Server in India. 6 TB KYC Data and 350GB compressed mysql dump.@RBI@IndianCERT#InfoSec#dataprotection#Financepic.twitter.com/yjc7davH3k— Rajshekhar Rajaharia (@rajaharia) February 26, 2021
MobiKwik said its user and company data is completely safe and secure. "The various sample text files that he has been showcasing prove nothing. Anyone can create such text files to falsely harass any company," it said. The company also said it will take legal action against this "so-called researcher" who is trying to "malign our brand reputation for ulterior motives".
A media-crazed so-called security researcher has repeatedly over the last week presented concocted files wasting precious time of our organization while desperately trying to grab media attention.We thoroughly investigated his allegations and did not find any security lapses. 1/n— MobiKwik (@MobiKwik) March 4, 2021
He again put out a tweet on March 26, claiming 11 crore Indian cardholders' data has allegedly leaked from a company's server in India. "Orphan/unclaimed data of 10 crore Indian debit #creditcard numbers including expiry date/month and KYC photos (PAN, Aadhar) are wandering on the dark web. Responsible (hacker) is saying that their card data is on their database. How it can be on the dark web," he tweeted.
Rajaharia even alleged that MobikWik deleted a blogpost of previous unauthorised server access (in 2010) after his tweet. "I think it's a big controversy now... what was the need of this step. Hiding things is not a solution," he asked. MobiKwik has junked these claims, saying the blogpost is up and was never deleted.
French hacker who goes by the pseudo name Elliot Alderson, tweeted that it's "probably the largest KYC data leak in history. Congrats MobikWik". He added the company was denying the data leak despite the "proofs".
Probably the largest KYC data leak in history. Congrats Mobikwik... pic.twitter.com/qQFgIKloA8— Elliot Alderson (@fs0c131y) March 29, 2021
Experts say the company won't be able to do much, except accepting the data leak, if it has occurred at all. MobiKwik last week raised about $7.2 million in a fresh funding round after the allotment of about 42,159 preference shares at an issue price of Rs 12,450 per share. The company also plans to go public by September.