Mobikwik has vehemently denied the claim, and has even threatened legal action against Rajaharia as part of their statement on Twitter.
The cybersecurity researcher who first highlighted the alleged data leak of users of payments company Mobikwik told CNBC-TV18 that the company had complained to Twitter and LinkedIn about his posts on the issue and that he had to delete some of them.
Rajashekhar Rajaharia, who earlier this year also highlighted the Juspay data breach, had flagged the data leak of Mobikwik users on February 26. Rajaharia had pointed out in his tweet that: "11 crore Indian Cardholders' card data including personal details and Know Your Client (KYC) soft copy" were allegedly leaked from a company's server, which he later said was that of Mobikwik.
Rajaharia says the hackers have put up 8.2 TB of sensitive data of Mobikwik users on sale on the dark web, with an asking price of 1.5 Bitcoins. Bitcoin price in India as of Tuesday was Rs 42 lakh based on the quotes on Indian crypto exchanges. The data allegedly includes KYC data including Aadhar data of 36 million users, card data of 40 million users, and mobile and email data of 100 million users.
In a social media post on Tuesday, the company said it had investigated the matter but did not find a breach.
"Some users have reported that their data is visible on the darkweb. While we are investigating this, it is entirely possible that any user could have uploaded her/ his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the darkweb has been accessed from MobiKwik or any identified source," the company statement read.
"When this matter was first reported last month, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach. The company is closely working with requisite authorities and is confident that security protocols to store sensitive data are robust and have not been breached. Considering the seriousness of the allegations, and by way of abundant caution, it will get a third party to conduct a forensic data security audit."
Mobikwik further asked users to not open dark web links that are being circulated on social media, "For our users, we reiterate that all your MobiKwik accounts and balances are completely safe. All financially sensitive data is stored in encrypted form in our databases. No misuse of your wallet balance, credit card or debit card is possible without the one-time-password (OTP) that only comes to your mobile number. We strongly recommend that you do not try to open any darkweb/anonymous links as they could jeopardize your own cyber safety."
Mobikwik had even threatened legal action against Rajaharia as part of their earlier statement on Twitter.
In a statement to CNBC-TV18, Mobikwik said, "Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure."
In a series of tweets earlier this month, Mobikwik had also said the 'sample text files' showcased by the researcher 'prove nothing' and they can be falsely created. Mobiwkik had also tweeted that the legal team will pursue strict action against the researcher for "trying to malign our brand reputation for ulterior motives."
Rajaharia said that between March 4-8, Twitter and Linked had alerted him about his posts on Mobikwik's data leak. Rajaharia said that while Linkedin removed his post directly, Twitter had blocked his account temporarily till he deleted the specific tweet.
While Twitter avoided commenting on the issue, LinkedIn told CNBC-TV18 that it can only remove content if it violates policies.
Mobikwik did not respond to these specific queries till the time of publishing this article.
While Rajaharia had highlighted the data leak in February, the issue gained more prominent after many users started posting on social media about their personal details being available on the dark web portal set up by hackers. Well-known cybersecurity personality Robert Baptiste (who is more popularly known as Elliot Alderson based on his Twitter profile) also highlighted the issue, citing it as "the largest KYC leak in history."
A senior government official also tweeted that his data was leaked.
Sanjeev Gupta, secretary for interstate council secretariat, ministry of home affairs, tweeted: @MobiKwik denied it on March 4. So, I tried URL sent to me on DM by some techies & also available publicly. Got all data including mobile no., email, #ed password, credit cards (fields for apps, CVV2, Expiry too!). I shudder to think for those who did full KVC using Aadhaar (1/3)
@MobiKwik denied it on March 4. So, I tried URL sent to me on DM by some techies & also available publicly. Got all data including mobile no., email, #ed password, credit cards (fields for apps, CVV2, Expiry too!). I shudder to think for those who did full KVC using Aadhaar (1/3) pic.twitter.com/M0mhzF3eH8
Kiran Jonalagadda, co-founder of HasGeek, tweeted that his data was also impacted.
He tweeted: The MobiKwik leak is real. Here is what the dump had for me. One of those credit cards was valid until a couple weeks ago, and I don't recall authorising MobiKwik to save it. Companies that lie like 👇 ought to be taken to the cleaners.
The MobiKwik leak is real. Here is what the dump had for me. One of those credit cards was valid until a couple weeks ago, and I don't recall authorising MobiKwik to save it. Companies that lie like 👇 ought to be taken to the cleaners. https://t.co/sptyC1Jz8fpic.twitter.com/c4Uu25OviP