In what is being touted as one of the biggest data breaches in history, sensitive information of nearly 10 crore users of MobiKwik was reported to have been leaked online. Following a denial from the company, the hacker who claimed to have access to the user data has said that he has voluntarily deleted it.
This is a welcome development, given that the hacker -- who goes by the name ninja_storm -- had earlier offered to sell 8.2TB of compromised user data. The hacker claimed that the data contained “email, phone number, passwords, addresses, other apps installed, phone manufacturer’s names, IP addresses, GPS location, etc”, among other details.
Here’s a look at the timeline of the MobiKwik KYC data breach
24 February, 2021: The hacker announced on a platform known as Raid Forum that he had access to the data of one of the “top 3 financial services companies from India - 7 TB”. While the hacker did not name the company, he said he was looking to interact with “serious buyers” interested in the data.
To satisfy viewers who asked for proof of this data, the hacker created a Discord server and invited people to have a look for themselves. A day later, however, the hacker said that access to the data was lost while transporting it to other servers.
26 February, 2021
Soon, internet security researcher Rajshekhar Rajaharia took to Twitter to announce the discovery of this data breach. Tagging the Reserve Bank of India, he said that personal details and Know- Your- Customer (KYC) data such as PAN, Aadhaar numbers of 11 crore Indians had been leaked from a company's server in India. He did not name the organization suffering the alleged data breach.
Demanding an investigation, he said that the hacker had claimed to have had access to the company's server since January 2021.
27 February, 2021
A day later, Rajshekhar Rajaharia tagged MobiKwik in the same tweet thread and demanded answers from them.
4 March, 2021
Nearly a week later, MobiKwik responded to the allegations and denied them completely. MobiKwik claimed that the allegations were actions of “a media-crazed so-called security researcher”, the company threatened to initiate legal action against the researcher.
6 March, 2021
Following this, the hacker announced on Raid Forum that the compromised data was indeed from Mobikwik.
27 March, 2021
The hacker then said the data had been recovered and was up for grabs for 1.5 Bitcoin, which would be close to Rs 65 lakh.
29 March, 2021
The hacker then said he would delete the entire data set if Mobikwik admitted to the data breach. On the same day, ethical hacker Elliot Alderson tweeted to confirm the Mobikwik data breach. Users too began to confirm that their data was now up on the darkweb.
30 March, 2021
MobiKwik stuck to its guns and maintained that there was no data breach at all. Though the company categorically denied that the data available on the darkweb was from MobiKwik, it said that it would get a third party to conduct a forensic data security audit “considering the seriousness of the allegations, and by way of abundant caution”.
In a quick turn of events, the hacker said that he had deleted the entire data and that all user data was now secure with Mobikwik. The hacker added that he hoped lessons were learnt from the incident.