MobiKwik's Founder CEO & Director Bipin Preet Singh.
A hacker has claimed that all the user data of payments firm MobiKwik have been deleted after conversations with independent researchers about the consequences of data leaked.
The forum post by the hacker claimed that only Mobikwik and the hacker group had the copy of 8.2 TB data and now only MobiKwik has it.
The massive breach of MobiKwik user data reportedly included KYC details of 3.5 million people and phone numbers, email, hashed passwords, addresses, bank accounts and card details of close to 10 crore users. This data was available for sale on the dark web for anyone who could pay 1.5 bitcoins, which is equal to $8,8434.
The company has denied the leak and said it will ask a third party to conduct a forensic data security audit.
“We deleted all data and 2 backups of all of data from all our servers and small copies of data loaded into server which hosted the infamous onion site. I've done this deletion myself and no foul play here,” the hacker claimed.
“Now all of your data is secure with Mobikwik and no one can misuse it except of course Mobikwik for targeted ads or call which everyone does anyway,” the hacker posted on the forum.
However, security professionals and users Moneycontrol spoke to are cautious. Kiran Jonnalagadda, co-founder, Hasgeek, and a MobiKwik user, said that there is no way this can be verified.
T Prasad, chief information security officer, InstaSafe, shared the same concern. “It cannot be trusted,” he said. While there is a possibility that the hacker is telling the truth, someone could have bought the whole DB and asked to communicate in this manner," Prasad explained. According to him, there is no way to verify this.
The search engine currently has a message, “All MobiKwik data is deleted on our servers. All users safe!”
At the bottom of the page, there was another notice, “I've been told I'm single-handedly helping India to make better data regulations and to fine companies if they lose user data like GDPR. Didn't expect this outcome when we hosted this site.”
Rajashekhar Rajaharia, a security researcher who first revealed the leak said that the hacker could be playing given that this is not the first time he said that he does not have the data.
When the data leak was first exposed in February, the hacker claimed that they lost access to the data and they did not have the actual data with them. “So we can’t trust,” he said.
Moneycontrol has also reached out to MobiKwik on the hacker’s claim. The story will be updated with their comments as and when we get them.
In the forum, where the hacker had posted about the sale of data, the hacker claimed, “All of India is worried about this leak as it is 99 million users and 3.5 million users KYC details.”
“We have very long and deep conversations with some independent security researchers about the consequences if data is leaked or sold and decided we will delete all data from our end as Mobikwik is incompetent in that regard,” the hacker claimed.
“Sadly, they are just digging themselves more and we are not as ruthless as all those news reporters whose only aim is to destroy the company and report anything without thinking about consequences and to destroy the company's IPO,” the hacker alleged.
According to the hacker, they have received probably 100-150 mails/messages in the last 24 hours regarding this leak. “People wanting to learn hacking, people asking to block their details from showing in search portal, to lawyers trying to sue company, and as usual security researchers and news reporters asking for more details. We have replied to most people and blocked all the numbers we got in block requests not to show in portal,” the hacker claimed in the portal.