Details of 2 crore Bigbasket users from 2020 breach leaked online: Report
As part of the data breach, the leaked database reportedly includes not only usernames, email addresses, birthdates, hashed passwords, but also their residential addresses.
Towards the end of 2020, grocery e-commerce company BigBasket was affected by a data breach in which nearly two crore users’ data was reportedly up for sale. While the company had admitted it was looking into the breach at the time, a new report suggests that the data from that breach is now available on the dark web.
According to a report by News18, a hacker collective called ShinyHunters have made the data of over 2 crore users in the form of a 3.5 GB database on a dark web data forum. The report relies on the work of a computer researcher, who tweeted that the data was posted by the group. Meanwhile, security analyst Alon Gal also tweeted that the user data had been leaked online, while breach monitoring websites have also included information about the breach.
Infamous threat actor "ShinyHunters" just leaked the database of "BigBasket, a famous Indian 🇮🇳 online grocery delivery service. (@bigbasket_com)— Alon Gal (Under the Breach) (@UnderTheBreach) April 25, 2021
20,000,000+ clients affected and information such as emails, names, hashed passwords, birthdates and phone numbers were leaked. pic.twitter.com/tD5TMxNkH7
As part of the data breach, the leaked database reportedly includes not only usernames, email addresses, birthdates, (hashed) passwords, along with their residential addresses. At the time the breach was disclosed last year, data security group Cyble had claimed that the data from the breach was being sold on the dark web for around ₹30 lakh. However, considering that the breached data also involves users residential addresses, this could prove to be quite a privacy nightmare.
“This article/social media post refers to an alleged data breach in Nov-2020 and not something that has happened recently. The reason we know it's not recent is that the article/social media post mentions the release of hashed passwords. We had eliminated all hashed passwords from our system and moved to a secure OTP-based authentication mechanism quite some time back. Also, our site does not collect or store any sensitive personal data of customers like credit card details. So customer data continues to be safe and no further action needs to be taken by customers,” Bigbasket said in a statement.
In the meanwhile, users can quickly visit security researcher Troy Hunt’s breach monitoring website haveibeenpwned.com in order to check if their data was found in the breach – the site informed us that we were affected. They can then change their passwords for the affected website, if necessary.