Big Basket Data Breach Allegedly Compromises Data of 20M Users

Online grocery delivery service Big Basket reportedly had its database of more than 20 million customers leaked on the dark web. The incident comes as the India grocery delivery startup first confirmed it suffered from a data breach last 2020, reports Tech Crunch.

Cybersecurity intelligence firm Cyble confirmed that the hacker who published the database on the dark web is known as ShinyHunters, reveals Business Insider India. The database was available for download by anyone who uses the said popular cybercrime forum RaidForums over the weekend.

The data set posted on the dark web-centered on the personal details of customers. These include their names, hashed passwords, email IDs, contact numbers, addresses, and dates of birth. Most of the details also came with the location and IP addresses of users.

Big Basket Data Breach Allegedly Compromises Users Data

Although ShinyHunters posted the database on the site, Tech Crunch states that at least two other malicious threat actors claimed they had successfully decoded the passwords and have since put the passwords up for sale on the site.

In an interview with Gadgets 360, security researcher Rajshekhar Rajaharia said that the decryption of millions of passwords related to the Big Basket data breach “could lead to a serious problem for the affected customers as bad actors would gain access to their personal Web accounts using the decrypted passwords and leaked email addresses.”

The Quint confirmed through cybersecurity researcher Sourajeet Majumder that the amount of data posted on the dark web totals 3.25 gigabytes worth of storage for 20 million (or 2 crore) users.

In a statement, a representative from Big Basket said, “This article/social media post refers to an alleged data breach in Nov-2020 and not something that has happened recently. The reason we know it’s not recent is that the article/social media post mentions the release of hashed passwords.”

“We had eliminated all hashed passwords from our system and moved to a secure OTP-based authentication mechanism quite some time back. Also, our site does not collect or store any sensitive personal data of customers like credit card details. So customer data continues to be safe and no further action needs to be taken by customers,” continued the spokesperson.

Following the release of personal details on the dark web, Majumder told The Quint that users can do their part in changing their passwords to avoid unauthorized access or fraud. The security researcher also called on Big Basket to notify its customers about the incident.