Leading online grocery and shopping company BigBasket suffered a data breach, resulting in more than 20 million customers to be impacted by the incident. According to Blomberg, personal details of customers have been stolen.
BigBasket is an Alibaba-backed company. It is a Bangalore-based online grocer that provides a one-stop-shop for food and household items in over 24 cities in India.
Prior to this massive incident, Bloomberg also revealed that Alibaba Holding Group Ltd. also became the target of attackers in a data breach when it infiltrated Lazada unit.
United States-based cybersecurity firm Cyble Inc. reportedly found out about the incident on October 30, 2020. However, the security researchers found that the breach occurred much earlier, around October 14, 2020, notes The Indian Express.
After validating the breach, Cyble Inc. reached out to BigBasket and informed the management regarding the attack. The Indian Express said the cybersecurity firm later on published details of the breach on November 7, 2020.
The compromised data stolen by the hackers include the full names of customers, their email IDs, mobile numbers, full addresses, and many others. Password hashes or potentially hashed OTPs, pin numbers, date of birth, location, and IP addresses have also been made vulnerable in the aftermath of the attack. These have been posted on the dark web with a valued sale of $40,000, said Cyble.
In its blog post, the U.S.-based cybersecurity research team said that the database compromised is around 15 gigabytes, with the SQL file containing around 20 million user data, reports The Hindu.
Meanwhile, co-founder and chief executive officer of BigBasket Hari Menon confirmed the attack. In an interview with Bloomberg, Menon said, “ There’s been a data breach and we’ve filed a case with the cybercrime police. The investigators have asked us not to reveal any details as it might hamper the probe.”
Following the incident, the Bangalore-based firm said that they are finding ways to contain the extent of the breach. Apart from working with cybersecurity agencies, The Indian Express reports that it had already filed an official complaint with the Cyber Crime Cell in the region.
In attempts to pacify the customers and bring a sense of relief, the company said that it does not store any financial data on its website, including but not limited to credit card numbers and the like.
According to Bloomberg, the incident comes as BigBasket is slated to sell 50% of its stake to the e-Commerce platform Tata Group. The deal is valued at $2 billion.
