There have been multiple reports circulating for over a month now in regard to a possible breach of MobiKwik’s servers. The company maintains that no breach has occurred.
The alleged hack was initially reported by security researcher Rajshekhar Rajaharia on twitter earlier this month but until recently there were no means to verify the claims.
Previously, sample data was published in what seems to be extortion attempts aimed at MobiKwik by the alleged hackers. Multiple financial documents as well as Aadhar cards of Indians have been available on the dark web for a while now, thanks to poor security practices of government owned as well as private entities within the country.
Previous Breach
MobiKwik suffered a breach a few years ago and one could speculate they were being extorted with the old data just in time for their IPO scheduled for later this year. However, on checking the data, we were able to find accounts created well after the previous breach occurred which raises further questions.
What Data is Available?
At the time of writing this post, we were able to access the email ID’s, Phone number, Credit/Debit card details of Individual users. The website which is only accessible via the tor browser also displays various KYC documents randomly. We will not be sharing the link for obvious reasons but our searches revealed information that were not publicly available & seem to be related with MobiKwik.
How has MobiKwik Responded?
Denial. MobiKwik claims there has been no breach & the data seems to be concocted. While this may sound plausible with the the number of data leaks concerning Indians, it fails to explain the accurate account creation time and related KYC documents specific to MobiKwik. We have reached out to them and will update with their response if & when we receive one.
Was I affected? What Should I do?
If you had a MobiKwik Account previously, there is a very good chance your details were compromised. The best course of action would be report your Credit/Debit cards linked to your accounts. If you use the same password across several services, you should consider changing the passwords as well. As for Aadhar & Pan card details that you may have submitted as part of KYC verification, there is not much that could be done.
We continue to investigate and are looking for previous breaches from where the data could have been published, in case MobiKwik’s claim of not being breached is true, but so far we haven’t been able to come across any such data. Check this space later for more updates.
Update 1:
The search functionality on the tor website seems to have been blocked at the moment. Random KYC documents are still being shown.
Leave a Reply