A report by TechNadu said that payment platform MobiKwik recently suffered a data breach that resulted in the private information of 3.5 million users being up for sale on the dark web. This amounts to a whopping 8.2 terabytes of user data, the largest so far if confirmed.
The leak is composed of different types of sensitive data such as scans of identification cards, passports, selfies, phone numbers, addresses, emails, and many others. All this information is up for sale on a popular hacker forum for 1.5 BTC or up to $84,000.
MobiKwik is a financial technology platform that offers mobile-based payments and digital wallet transactions. It also offers small loans to users starting 2016, requiring users to provide personally identifiable information, documents, scanned passports, and Aadhar cards.
Independent cyber researcher Rajshekhar Rajaharia was the one to spotted the database and notified TechNadu. Upon checking, the tech outlet said that the data “appears to be valid.”
Aside from uploading the database in the hacker forum on the dark web, the threat actors also created a system in which users can use some details to search for information. Entering phone numbers or email addresses can result in the rest of the user info.
Purchasing the database will result in the whole database being taken offline, making sure that the information it contains is exclusive.
According to TechNadu, the entire file contains info from different databases such as MySQL dumps or 500 databases totalling 350 gigabytes of data, Merchant KYC data amounting to around 7.5 terabytes of info, and a number of databases containing company info.
It also contains 99 million records of mail, phone, passwords, addresses, apps installed, IP addresses, and GPS locations, as well as 40 million records of 10-digit card numbers, month, year, and card hash.
In the post, the seller said that each of the entries can be used to generate money through loans amounting to $500 to $1,000. With this number, the database can generate up to $3 billion.
To prove the claim, the seller has partnered up with an entity that used the info to raise money and the concept allegedly worked.
Meanwhile, MobiKwik denied such allegations, said Business Standard. A spokesperson said, “Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media.”
“We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure.”