Digital wallet and payments company MobiKwik, reportedly planning an initial public offering (IPO) around September this year to raise $200-250 million, on Monday denied claims that sensitive data of millions of its users has been leaked. Independent cybersecurity researchers have claimed that a database containing KYC details of nearly 3.5 million users of MobiKwik is up for sale on the Dark Web. The hackers alleged an online data leak, comprising details such as Aadhaar details, phone numbers, addresses and KYC details, surfaced on social media. As per allegations, the details of around 3.5 million users are at risk after 8.2 terabytes of data about homegrown financial platforms were leaked on the dark web.
The data breach came to light after few MobiKwik users posted screenshots of their financial and KYC details leaked on social media. First tweeted by independent cybersecurity researcher Rajshekhar Rajaharia and then by French researcher Elliot Alderson on Monday, the alleged breach includes 8.2TB data containing users' phone numbers, emails, hashed passwords, addresses, bank accounts and card details. The dark web link shows all the financial details up for sale for 1.5 bitcoin or $86,000. All the details, including Aadhaar, KYC, and address, were visible to anyone, except the password.
However, MobiKwik had denied any such breach and claimed that users and the firm’s data is safe and secure. "Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organisation as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure," a MobiKwik spokesperson said.
Alderson had tweeted: "Probably the largest KYC data leak in history."
Earlier, Rajaharia in a series of tweets had claimed that "11 crore Indian cardholder's cards' data including personal details and KYC soft copy (PAN, Aadhaar etc) allegedly leaked from the company's server in India. The backup was allegedly taken on 20 Jan 2021. He claims to have MobiKwik access for the last 30 days. @RBI @IndianCERT Please look into this matter," he tweeted on March 4, by posting screenshots of the financial details of some users.
"The various sample text files that he has been showcasing prove nothing. Anyone can create such text files to falsely harass any company," the company said, claiming that legal action will be taken against this "so-called researcher" who is trying to "malign our brand reputation for ulterior motives".
Rajaharia again on March 26 tweeted that around 11 crore Indians cardholders data was leaked from a company’s server in India. "Orphan/unclaimed data of 10 crore Indian debit #creditcard numbers including expiry date/month and KYC photos (PAN, Aadhar) are wandering on the dark web. The responsible (hacker) is saying that their card data is on their database. How it can be on the dark web," he tweeted. He also alleged that MobiKwik had deleted a blogpost of previous unauthorised server access (in 2010) after his tweet. "I think it's a big controversy now... what was the need of this step. Hiding things is not a solution," he asked.
MobiKwik has refuted all claims and said that the blog post is up online and was never deleted.
According to the researchers, the entire database is available for 1.5 Bitcoin (nearly $84,000) on the Dark Web.
The reports surfaced as MobiKwik last week raised $7.2 million in a funding round before the listing on the stock exchange, according to regulatory filings with the Ministry of Corporate Affairs. According to Entrackr, Mobikwik's post-money valuation currently stands at $493 million with the latest funding round.