BigBasket data breach: personal details of 2 crore users being sold on dark web

The BigBasket data breach reportedly took place on October 30th and it involved personal details of over 2 crore users being sold on the dark web.

Highlights
  • BigBasket faced a major data breach on October 30th
  • Personal info of around 2 crore users put on sale on the dark web
  • The company has filed a police complaint in this regard with the Cyber Crime Cell

BigBasket has reportedly suffered a major data breach, compromising personal data of around 2 crore users. Details of users’ emails, password hashes, contact numbers (mobile and phone), addresses, date of birth, location, and IP addresses of login, and more have been put on sale on the dark web for around Rs 30 lakh, claims cyber intelligence firm Cybel. The BigBasket data breach reportedly took place on October 30th. Cybel has informed BigBasket about the breach and the e-commerce platform has filed the complaint with Cyber Crime Cell in Bengaluru. The company is evaluating the ‘extent of the breach and authenticity of the claim.’

“In the course of our routine dark web monitoring, the research team at Cyble found the database of BigBasket for sale in a cybercrime market, being sold for over USD 40,000. The leak contains a database portion; with the table name ‘member_member’. The size of the SQL file is about 15GB, containing close to 20 million user data,” Cyble said in its blog.

While the firm has mentioned ‘passwords’ among the leaked details of the BigBasket’s customers, it should to be noted that the company uses OTP or one-time password sent through SMS, which keeps on changing every time a user logs into their account. “A few days ago, we learnt about a potential data breach at BigBasket and are evaluating the extent of the breach and authenticity of the claim in consultation with cybersecurity experts and finding immediate ways to contain it. We have also lodged a complaint with the Cyber Crime Cell in Bengaluru and intend to pursue this vigorously to bring the culprits to book,” BigBasket said in a statement.

The e-commerce platform claims that it prioritises the privacy and confidentiality of its customers and does not store any financial data including credit card numbers and is confident that users’ financial data is secure. “The only customer data that we maintain are email IDs, phone numbers, order details, and addresses so these are the details that could potentially have been accessed. We have a robust information security framework that employs best-in-class resources and technologies to manage our information. We will continue to proactively engage with best-in-class information security experts to strengthen this further,” BigBasket said.