Even as the IPO-bound payments firm MobiKwik continues to deny a massive data leak, insisting that user information is safe, security researchers and users are not convinced.
In a conversation with Moneycontrol, more than half a dozen security experts and users flagged the seriousness of the data leak, discussing why it could be genuine and not engineered.
Security researcher, Rajashekhar Rajaharia, on two occasions, February 26, and March 4, revealed that a hacker claimed to have access to 10 crore Indian cardholders’ data on MobiKwik and their Know Your Customer (KYC) details. Rajaharia, also a MobiKwik user, urged the company to inform users of the breach and the steps it has taken to address the situation.
But that did not happen. In response, on March 4, Gurgaon-based payments firm MobiKwik in a tweet said, “Our user and company data are completely safe and secure. The various sample text files that he has been showcasing prove nothing. Anyone can create such text files to falsely harass any company.”
The company also said that it would take legal action against Rajaharia.
A media-crazed so-called security researcher has repeatedly over the last week presented concocted files wasting precious time of our organization while desperately trying to grab media attention.We thoroughly investigated his allegations and did not find any security lapses. 1/n
— MobiKwik (@MobiKwik) March 4, 2021
Things, however, came to a head on March 29, when French security researcher, who goes by the name, Elliot Alderson and Alon Gal, co-founder and Chief Technology Officer (CTO) of Israeli security firm Hudson Rock, tweeted that this was one of the largest KYC data leaks in history!
Indian payment systems giant "Mobikwik" allegedly suffered what may be considered the largest KYC data leak in history.
Over 37m files, KYC of 3.5m individuals, and a whopping 100m phone numbers, emails, passwords, geodata, bank accounts & CC data.@MobiKwik pic.twitter.com/dCFqTHEv1F
— Alon Gal (Under the Breach) (@UnderTheBreach) March 28, 2021
The massive breach reportedly included KYC details of 3.5 million people and phone numbers, email, hashed passwords, addresses, bank accounts and card details of close to 10 crore users. This data was available for sale in the dark web for anyone who could pay 1.5 bitcoins, which is equal to $88434 (Rs 62,63,110).
The company again denied this claim and said that user data is safe and secure. As more users started posting their leaked data online, the situation snowballed, and the company issued a further clarification.
On March 30, CEO Bipin Preet Singh tweeted a note from the company on the data leak. It said: “MobiKwik is a truly Indian payments app used by 100 million Indians and was built by 350 Indians.’’
It further added, “Some users have reported that their data is visible on the Dark web. While we are investigating this, it is entirely possible that any user could have uploaded her/his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the Dark web has been accessed from MobiKwik or any identified source.”
A note to our users. pic.twitter.com/J3WRM0Ko8v
— Bipin Preet Singh (@BipinSingh) March 30, 2021
Clearly, users and researchers are not buying this. One of the users, whose data was leaked responded sarcastically, saying “It is very convenient that everyone uploaded the correct joining date to random insecure websites.”
They explained to Moneycontrol how it is impossible to fabricate data with his level of accuracy for such a large volume of users.
Moneycontrol, with the help of a security researcher, was able to see validate the same in the TOR browser. In the page, users can input information, like mobile number, email, or name. If the data is leaked, the dump of all the data that has been leaked, will be available. If not, the results show 0 (zero). This link is no longer accessible due to increased traffic.
However, Moneycontrol reviewed the veracity of the claims of leak using both user and non-user mobile numbers on the browser dated March 29. It was found that while the information of the non-user numbers did not turn up any results, those of users did with accuracy that researchers say, is not possible by mere fabrication.
Possibility of fabrication
When the information first surfaced in early March, not many took this seriously, precisely because of the possibility of fabrication. But as users started sharing their leaked information online, more tried their hand on this search engine.
Take for instance the data of Vinoth Kumar, a security specialist and part-time bug bounty hunter, who is also a MobiKwik user. Kumar could see that his old email ID was mapped with his new number in 2017, a combination he has not used on any of the other platforms.
“If it was my old number and old email ID, I would have given them the benefit of doubt,” he said. Also the data he had shared with MobiKwik, including his date of joining the platform, was accurate. “There is no way a hacker would fabricate this data with this accuracy. This is a 100 percent data leak,” he told Moneycontrol.
It was not just Kumar. Moneycontrol spoke to four other users, who have confirmed that the data they were able to get through the search engine was accurate. Moneycontrol has reviewed the data for some of the users.
“Even if you think that all other details are fabricated, how will anyone else know when I joined MobiKwik?” asked a Bengaluru-based medical professional, whose data Moneycontrol has reviewed.
Kiran Jonnalagadda, co-founder, Hasgeek, too has called out the denial by MobiKwik. Jonnalagadda explained to Moneycontrol why the evidence is compelling enough for it to be a leak.
One, his date of joining from the dump (results from the data leaked accessed using TOR) matches exactly with the email receipt he got at the time of registration from MobiKwik. Two, the results did not have his name, since he never gave his name and only the email ID for registering.
An element of doubt, he pointed out, was that the hashed password (a way of encrypting your password) was not matching with the one he saved, giving rise to uncertainty. “But that is a technicality. It is possible they are hashing it differently from what I'm doing,” he said.
Apart from the card details, KYC details including pan card and Aadhaar have also reportedly been made public. At a forum where the data was up for sale, the hacker said they had done proof-of-concept in raising loans.
“Got to know India is full of those companies who give loans freely in the range of $100-1000. These are merchant KYC data, which can be used to get $500-$1000 in Indian currency and there are 3 million of those,” the hacker shared, nonchalantly, on the forum. Moneycontrol has reviewed the discussion on the dark web.
Rajashekhar, who first exposed the data leak and a user, pointed out that he had written to concerned authorities seeking an audit, which did not elicit any comments.
What is even more alarming to users is the range of data that was reportedly collected. Look at this dump of the Bengaluru-based medical professional.
Apart from the name, email addresses and mobile number, the dump of MobiKwik users, included GPS location, addresses, and other applications that the user might have on the phone including messaging, news and learning apps.
The medical professional cited earlier said he was taken aback when he saw the range of information the app had access to. “While I have now come to accept the mobile and email being leaked, for me the apps I use being made public is a grave concern,” he shared.
Moneycontrol was not able to independently verify the said KYC leak and whether the information collected from the user phones were indeed from MobiKwik. According to experts, this strong denial could be related to the company's upcoming IPO.
What is the company’s response?
MobiKwik did not respond to the detailed query sent by Moneycontrol on the data leak, the wide range of information the app is supposedly collecting from users, denial on grounds of IPO and if the recent event has resulted in the decline of number of users on the platform. A detailed query on KYC details being leaked and that being used to avail loans was also shared, without eliciting any response.
A MobiKwik spokesperson said in a statement that the company has undertaken a thorough investigation with the help of external security experts and did not find any evidence of a breach. “The company is closely working with requisite authorities on this matter and considering the seriousness of the allegations, will get a third party to conduct a forensic data security audit. For its users, the company reiterates that all MobiKwik accounts and balances are completely safe,” the spokesperson said.
In a blog post on March 30, MobiKwik said the company has robust internal policies and information security protocols and is subjected to stringent compliance.
What does it mean for the users?
Prasad T, chief information security officer, Instasafe, a cybersecurity platform, said that if the leak of KYC details is true, it is a concern, given that this information can be easily misused. The comment from the hacker that they have already tested the KYC for getting small loans from banks is a testimony to the adverse impact it could have.
Concerned users, experts said, can block the cards and get them reissued from banks and reset the passwords, if they have not already done so.
Users can also claim actual damages, if they can establish the leak successfully, under the Consumer Protection (e-commerce) Rules, 2019, said Safir Anand, Senior Partner & Head of Trademarks, Anand & Anand.
According to Anand, “Considering the current rise in cyber theft in the course of the digital era, it is time that India starts exploring the options of class suit actions.”
Can MobiKwik be held accountable?
Technically yes, if it can be established, under the Section 43A of the IT Rules 2011 that has provisions for data protection.
The rule states that whenever a company deals with any sensitive personal data or information, and is negligent in maintaining a reasonable security to protect such data or information, which thereby causes wrongful loss or wrongful gain to any person, then such body corporate shall be liable to pay damages to the person(s) so affected.
“A company that fails to protect personal data of its users can be held accountable under Section 43A,” Anand said. Companies can also be held liable for negligence under Section 72A of the Act, where they do not safeguard the personal data collected by them, he pointed out.
But these must be proved. Security professionals said that when a company stands on its ground and denies any such leaks, there is not much a user can do. This is one of the loopholes the current system has, and it must be rectified.
Karmesh Gupta, co-founder & CEO, WiJungle, a cybersecurity firm, said, these incidents emphasise the need for the personal data protection bill, which is yet to be implemented.
Maybe the MobiKwik case is just the kind of incentive that lawmakers need.