MobiKwik Shifts Blame On Users For Data Breach That It Says Didn’t Happen
MUMBAI, India — Thirty-year-old internet security researcher Rajshekhar Rajaharia first learned about a data leak of India’s top three fintech companies on a database sharing marketplace on Feb. 24. The next day, he reached out to a hacker named Jordandaven on a Discord messaging group.
“I went to the Discord group where the hacker had shared five sample files of this data dump,” Rajaharia told Zenger News.
“Looking at the files and the database structure, I thought it might belong to MobiKwik. I informed MobiKwik and reached out to its chief executive Bipin Preet Singh on LinkedIn to ask him to investigate the matter.”
MobiKwik is an Indian fintech company that was founded in 2009. It offers multiple ways to pay digitally for mobile phone recharges, bill payments, shopping in local stores, and even transferring money to bank accounts.
The firm counts U.S. venture capital firm Sequoia Capital as one of its major investors. Within the Indian landscape, MobiKwik competes with Google’s payments service, Google Pay, Softbank and Alibaba-backed Paytm, and Accel-backed Juspay, among many others.
According to various reports, MobiKwik is looking at an initial public offering this year and expects a valuation of over $1 billion.
But right now, MobiKwik is in the eye of a storm as it has emerged that data of 110 million users — of the around 120 million users it has — has been leaked online through its servers.
This data is available for sale on the dark web, an encrypted part of the web that cannot be searched or indexed by regular search engines. Due to its anonymous nature, the dark web is a playground for a lot of illegal activities. Zenger News reached out to MobiKwik CEO Bipin Preet Singh but hasn’t got a response until now.
As seen in the screenshot taken from dark web marketplace Raid Forums, a user named the ninja_storm said the MobiKwik data dump measures 8 terabytes. It contains email IDs, phone numbers, passwords, addresses, GPS location details, credit card details, and much more.
Also present in the dump is KYC or know-your-customer details of around 3 million users registered with various merchants. In India, every bank or fintech app needs a customer to submit their KYC details, soft copies of any national ID like a passport and Aadhaar card number (an Indian equivalent of social security number).
Rajaharia first tweeted about the breach on Feb. 26 and claimed that the hacker boasted of having access to the company servers since January 2021. He hadn’t named MobiKwik in his first tweet on the matter as he was awaiting a response from the firm.
Rajaharia checked if his data was there in the leak. After confirming that, on Feb. 27, he named MobiKwik and alleged that the firm had taken down its press note regarding a 2010 breach.
“On March 1, I found another bug on their site. I informed them about it. But they denied it and fixed it in the background. They removed the APIs to remove any evidence. Later the hacker had dropped a hint that the company, whose data they had, had been compromised in 2010 as well. I checked the news from 2010, and it turned out MobiKwik was compromised then as well — surprisingly, the firm deleted a blog post on their site about the 2010 hack,” said Rajaharia.
“Twitter blocked my account on March 9 and March 31. My account was activated on March 9 after I deleted a tweet Twitter had asked me to. On March 31, my account was blocked for 12 hours, and the entity requesting the block was ‘One MobiKwik Systems Private Limited.”
He has given a timeline of events from Feb. 24 to March 31 on his blog. To date, he has received no communication from MobiKwik.
French security expert Robert Baptiste, who goes by the handle @fs0c131y on Twitter, also shared a screenshot of a tweet (originally posted on March 29). He had to delete it after receiving a takedown notice. Baptiste had confirmed the MobiKwik hack on the dark web forum where users can search if their details are present in the leaked database.
“The hacker has since deleted the search engine,” Rajaharia said.
By March 4, MobiKwik again denied any data breach and sent out a series of tweets discrediting Rajaharia without naming him. The firm also threatened legal action.
“I haven’t got any legal notice yet, but they have threatened action,” said Rajaharia. “I might have to visit the court as the company is auditing itself. So far, they haven’t admitted to anything. I haven’t seen any government organization reprimanding MobiKwik, so I can’t be sure.”
After multiple data breach reports showed up, MobiKwik said in a blog post shared on March 30 that the firm had done a thorough investigation with external security experts when the breach was first reported and found no evidence of any hack.
Many users who discovered their details in the data dump claim that they have received no communication from MobiKwik.
“My data has been breached online. However, I don’t know how and when it happened,” developer Prateek Pardeshi told Zenger News. He also tweeted screenshots of his redacted details on Twitter.
Prasanth Sugathan, legal director, Software Freedom Law Centre, India, told Zenger News that entities must inform India Computer Emergency Response Team (CERT-In), a government nodal agency to deal with cybersecurity threats in such cases.
“While the companies are required to adhere to Reserve Bank of India standards and the Sensitive Personal Data Rules, there are no requirements as of now to disclose data breaches publicly,” Sugathan told Zenger News. “However, under the IT Rules, 2021, and the IT (Indian Computer Emergency Response Team) Rules 2013, they are required to disclose breaches to CERT-in.”
Rajaharia has been in touch with CERT-In, who had reached out to him after his tweet went viral. “I have been sharing all my screenshots as well as video documentary evidence with CERT-In and also with Reserve Bank of India, Payment Card Industry Data Security Standard, MasterCard, and Visa,” said Rajaharia.
One paragraph in MobiKwik’s note stands out as it tends to hint that the users were to blame to some extent. “Some users have reported that their data is visible on the dark web. While we are investigating this, it is entirely possible that any user could have uploaded her/his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the dark web has been accessed from MobiKwik or any identified source,” the note states.
Sugathan said that this kind of response amounts to shifting the blame on the users “who do not have control over data stored on the server-side.”
Many organizations have requested CERT-In to investigate the matter.
Free Software Movement of India sent a letter to CERT-In on March 30, asking for “investigation into this incident and update citizens on what has transpired at MobiKwik.”
Apar Gupta, noted Indian cyber law expert and executive director of the digital liberties organization Internet Freedom Foundation, also sent a letter on March 31 to CERT-In.
“MobiKwik’s denial, which shifts the blame on users, makes it necessary for your department to investigate this issue, given the size and impact on ordinary Indian users who are put at risk of several forms of harms including identity fraud,” noted Gupta in the letter.
“They [users] can file a civil suit against MobiKwik, and also for violation of sensitive personal data rules,” said Sugathan.
“It highlights a major issue that companies like MobiKwik can get away with such big violations due to lack of a robust regulatory framework on data protection,” said Sugathan.
India’s Personal Data Protection Bill 2019 deals with data breach issues, but it has yet to become a law.
Rajaharia has been pointing out instances of data breaches for services he uses.
“The only good experience I have had was with Juspay, whose founder reached out to me and appreciated my findings. The company even created a group with me in it to help them in securing user data,” said Rajaharia.
“But such cases are few and far between, and responses like MobiKwik are the norm.”
(Edited by Amrita Das and Abinaya Vijayaraghavan. Map by Urvashi Makwana)