Private data of 3.5 million MobiKwik users reportedly up for sale, company denies claim

A database containing private information of 3.5 million users has reportedly appeared for sale on the dark web after a breach at payments startup Mobikwik according to a report by Moneycontrol.

The appearance of the portal and information about the breach was first reported by TechNadu, which cited the work of an independent researcher Rajshekhar Rajaharia. French ethical hacker and security researcher Robert Baptiste, who goes by the name Elliot Alderson, also tweeted about the alleged data breach this afternoon.

The breached data reportedly contains 36,099,759 files that comprise 8.2 terabytes of data. This is being offered for sale at 1.5 bitcoins (or $84,000) according to TechNadu. The data uploader has promised the dark web portal will then be taken offline, keeping everything exclusive to the buyer. 

According to Moneycontrol, the data includes details of users email addresses, phone numbers, hashed passwords, plus bank account and card details. Here is the list of documents available on the dark web, according to TechNadu: 

1) Total 350GB MySQL dumps – > 500 databases

2) 99 million – mail, phone, passwords, addresses, lots more data, apps installed, phone manufacturer, IP address, GPS location.

3) 40 million – 10 digit card, month, year, card hash (sha256).

4) ~7.5 TB of ~3 million Merchant KYC data – passports, Aadhar cards, pan cards, selfie, store picture proof, etc., used to get loans on the site

We reached out to Mobikwik for comment, and the company denied the claims made by the researcher. "Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure," a MobiKwik spokesperson told us on Monday evening.