In February, Internet Security Researcher Rajshekhar Rajaharia tweeted that KYC Data of nearly 11 crore Indians was leaked on to the dark web. This is apparently an 8TB treasure trove of PAN numbers, Aadhar information, credit card information and bank details. The hacker has claimed that he had access to the company’s server since January 2021.
Again!! 11 Crore Indian Cardholder's Cards Data Including personal details & KYC soft copy(PAN, Aadhar etc) allegedly leaked from a company's Server in India. 6 TB KYC Data and 350GB compressed mysql dump.@RBI @IndianCERT #InfoSec #dataprotection #Finance pic.twitter.com/yjc7davH3k
— Rajshekhar Rajaharia (@rajaharia) February 26, 2021
The source of this hack is UPI payments and wallet app Mobikwik, which has so far denied the breach stating that, “Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data are completely safe and secure.”
Okay. So, has my data been hacked or not?
Even in the face of Mobikwik's vehement denials, the evidence has mounted strongly against the company. Besides Rajaharia’s damning series of tweets, several other prominent security researchers have also tweeted against the company including ethical hacker Elliot Alderson.
Probably the largest KYC data leak in history. Congrats Mobikwik... pic.twitter.com/qQFgIKloA8
— Elliot Alderson (@fs0c131y) March 29, 2021
This is not the first time Mobikwik has been hacked either. As per a blog post by the company in 2010, someone gained access to the company’s ‘IT systems. Rajaharia claims to have also reported a bug on March 1st which Mobikwik denied at first and then apparently fixed within the next one hour.
My 1st March conversation With #Mobikwik after this serious data breach. I also reported a bug. They denied it too and removed that Bug in the next 1 hour. They saved their 1000 rupee bounty by denying it.#InfoSec #DataLeak #GDPR @sanjg2k1 @fs0c131y @troyhunt pic.twitter.com/pP0VRU0vqC
— Rajshekhar Rajaharia (@rajaharia) March 30, 2021
A lot of users have also checked and confirmed that the hack is indeed real with many Twitter users claiming that a lot of their data like Card information and personal details are part of the breach file.
I personally verified the information and can confirm they have my Card details and more personal data. I am a bit concerned now.
— | Eashwar Ramesh | (@Eashwarramesh) March 29, 2021
Uh-oh. So how do I check if my data is hacked or not?
To those of you sweating bullets right now trying to figure out if your data was compromised or not, here is what you need to do to check. The first thing we recommend doing before anything else is to download the Tor browser, you can do so by visiting the link here.
Tor is a free and open-source web browser that helps you anonymously browse the web using a volunteer relay network. This makes it more difficult for people to snoop around on you while you browse.
Next you need to open this link.
This is the entire database of the breach that is now online. Disturbingly it also has pictures as proof of Random KYCs in the database. Search for your information using your phone number or email id. If nothing shows up, you are safe and you can breathe a sigh of relief.
If something does show up, immediately contact your bank, and block your cards now. Change your netbanking password and if possible, just change the email id that has been linked to your bank details. This will mean you will have to jump through a few hoops like creating a new mail account or completing some formalities with your bank but that is 100 percent worth it and will give you some peace of mind. As to what can be done with the data, your guess is as good as mine. Once something is on the internet, it never really leaves.