The personal data of almost 100 million subscribers of the payment application developed by the Indian startup MobiKwik were put up for sale on the darknet, writes TechCrunch.
Last weekend, participants in one of the underground sites stated that they have an array of confidential information from MobiKwik.
According to unidentified sellers, in total they have about 8.2 TB of data: phone numbers, email addresses, encrypted passwords, transaction logs and partial numbers of payment cards.
To verify the authenticity of the proposed data, the sellers asked journalists to find confidential information about certain people in the database by phone number or e-mail address. Thus, TechCrunch has tested several people.
The cost of accessing the database on the forum on the darknet was estimated at 1.2 bitcoins (approximately $ 70 thousand).
In addition to the confidential information of 100 million MobiKwik users, the underground site holds approximately 3.5 million KYC documents that users in India need to identify themselves when receiving a range of services.
MobiKwik representatives have not yet been able to confirm the authenticity of the information offered for sale. At the same time, the renowned Indian information security researcher Rajshekhar Rajaharia has no doubts that the leak originated from the mobile application database.
Back in February, he warned MobiKwik about an alleged information security incident, he said. However, the company said in an official statement that the investigation did not find any evidence of the information leak.
At the same time, the journalists got a screenshot of MobiKwik’s correspondence with the Amazon cloud service: representatives of the mobile application asked the provider to provide them with event logs in their “cloud”, after the startup learned that people outside the organization access the data from the storage.