MobiKwik data breach: personal data of over 10 crore users reportedly on sale on dark web

This could be the biggest KYC data leak ever!

Highlights
  • Hackers have managed to access the information of over 10 crore MobiKwik users. 
  • Personal data such as names, email addresses, PAN/Aadhar card numbers, credit/debit card info, and more are up for sale online. 
  • MobiKwik denies any data breach has taken place

Popular mobile payments platform MobiKwik has reportedly suffered a major data breach, exposing the private information of over 10 crore users. Critical information such as names, email addresses, KYC details, credit/debit card numbers, and more appear to have been stolen. The database is an eye-watering 8.2TB in size and is up for sale on the dark web for 11.5 Bitcoin (approx Rs 63,640,00). Interestingly enough, it’s been quite some time since this information has been out and about on the internet, as per security researcher Rajshekhar Rajaharia on Twitter. The MobiKwik data breach has also been confirmed by French security researcher Elliot Alderson, who has an impressive track record in exposing security vulnerabilities. 

To make matters worse, MobiKwik vehemently denies that its infrastructure has been compromised. It had the following to say in a statement, “Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organisation as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure.” It has been largely silent about the matter after issuing the statement. 

This isn’t the first time MobiKwik has witnessed a breach. The company had another infosec-related incident all the way back in 2010 and seems to have learned nothing from it. It still refuses to acknowledge that its servers have been breached, despite overwhelming evidence suggesting otherwise. Whether or not it has found out the vulnerability and fixed it remains unknown. There is no recourse for affected users, given that the entirety of their personal information has been leaked online.