Indian payment and wallet service provider MobiKwik has allegedly been hacked. Nearly 3.5 million customers’ KYC information may have been leaked.
MobiKwik’s KYC Data on the Dark Web
MobiKwik was founded in Gurugram, India, in 2009. The company offers payment services and a digital wallet via a mobile app. Then in 2016, The company began offering small loans to users. This required users to begin submitting Know-Your-Customer (KYC) information.
According to independent researcher Rajshekhar Rajaharia, the KYC data hacked from MobiKwik has appeared on a dark web forum for hackers. The seller set up a portal where a user can search by phone number or email ID and get specific results out of a total of 8.2 TB of data. A buyer can receive exclusive rights to the entire database for 1.5 BTC. Apparently, a user has already tried to scrape the entire 99 million entries.
According to the seller, each database entry can raise $500-$1,000 of loans in Indian currency. This could make the 1.5 BTC investment worth up to $3 billion. The seller claims he has already been able to acquire loans with the information as a proof-of-concept.
The Company has Denial
Regarding this incident, MobiKwik responded, saying: “Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure.”
However, this response does not explain why the seller is also claiming the data source is MobiKwik. Also, samples seen on the portal contain images of MobiKwik QR codes.
The “media-crazed so-called security researchers” is a veiled reference to Rajaharia. Earlier this month, the internet security researcher tweeted that cardholder data had been leaked from MobiKwik’s server. MobiKwik denied that allegation as well and threatened Rajaharia with litigation for making the allegations without proper evidence. However, the company admitted to a data breach that occurred in 2010.
Although this may prove to be the largest leak of KYC information so far, many smaller hacking instances happen with alarming frequency. On March 15, hackers hijacked the domain names of PancakeSwap and Cream Finance. Users trying to access these sites were directed to an unknown address and solicited for their wallet seed phrases. Earlier in February, another hacker stole $37.5 million from Cream.