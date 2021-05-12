Over the last few weeks, many Flipkart users aired complaints about their accounts being hacked and unknown people placing orders using up their IDs and Supercoins, the firm’s loyalty reward system.

But the hacks hardly had anything to do with Flipkart database being breached, going by expert commentary. Rather it dates back to the Bigbasket data breach, where information of thousands of people was leaked on the dark web for anyone to download and use.

According to experts, while the Flipkart's database might not have been breached, companies should bring in two-factor authentication to ensure that such mishaps are avoided.

What happened?

On May 12, a Flipkart customer Satish Medapati tweeted that his account has been breached and strangers have been using Supercoins, Flipkart’s loyalty reward system, to place orders. This is not an isolated incident though.

Over the last couple of weeks many users had raised similar complaints on microblogging platform Twitter about strangers placing orders from their Flipkart account and their Supercoins being used for the purpose.

Another user, Ajay Shah, said that the information of thousands of users is also being sold on Telegram. A screenshot Moneycontrol has reviewed revealed that about 2800 IDs were being sold in a Telegram group.

Two security researchers Moneycontrol spoke to explained that this breach could be traced back to Bigbasket breach in November 2020, followed by the data of millions of users made public on the dark web late last month.

The Bigbasket link

After the Bigbasket data breach came to light in November 2020, a group of hackers made the personal information, including hashed password, for about 20 million Bigbasket users available for free on the dark web two weeks back.

T Prasad, Chief Information Security Officer, InstaSafe, a cybersecurity platform said, those who downloaded the data will have access to the user details.

Once they have access to email and hashed passwords, hackers can decrypt the password and run automated scripts to get users' IDs from the dozens exposed that can be used on the Flipkart site, he explained.

Rajshekhar Rajaharia, a security researcher, said, “Around 4 million Bigbasket hashed passwords were decrypted by hackers.” Given that most people use the same ID and password for all websites, people are able logging into the Flipkart site using the same information. Moneycontrol was able to verify the same.

What now?

Rajaharia says that users should immediately change all website passwords instead of waiting for the company to inform them of the same. As general security hygiene, he also suggested that users use different and strong passwords for all the websites.

But the need of the hour, both Rajaharia and Prasad, say is two factor authentication.

According to Prasad, having two-factor authentication (2FA) enabled from the company's site would have prevented these issues. Right now entering a username and password will be enough to get access to the website.

But given the scale of breaches we have witnessed over the last six months alone, companies should undertake more security measures. Two-factor authentication is one such solution. For instance, when you login to , say Amazon.in site from a new device, it sends a verification link via SMS to your number. Only when it is authenticated, will the user be able to login to the site.

“It is high time firms like Flipkart update their security. They should bring in two-factor authentication as making all users aware about having strong passwords will be going to be tough,” he added.