In an alleged massive security breach, the data of almost 20 million customers of Indian e-grocery unicorn BigBasket was leaked on the dark web, a US-based cybersecurity firm Cyble said in a recent blog post.
During its routine dark web monitoring, Cyble’s research team found a database of BigBasket users up for sale for over USD 40,000. The 15 GB file contains customers’ full names, email IDs, hashed password, pin, contact numbers, full addresses, date of birth, location, and IP addresses of login, among other details, the post said. The dark web is the collection of hidden or encrypted internet sites that are only accessible by a specialized web browser.
The data breach happened on October 14, 2020, which Cyble detected two weeks later. The cybersecurity firm then disclosed the leak to BigBasket management on November 1.
BigBasket has filed a complaint with the cybercrime police department in Bengaluru, where it is headquartered, and “intend to pursue this vigorously to bring the culprits to book,” the startup said in a media statement.
It is evaluating the extent of the breach and authenticity of the claim in consultation with cybersecurity experts at the moment while trying to find immediate ways to contain it, BigBasket said. The company claimed it does not store any financial data including credit card numbers, and is confident that the financial data is secure.
“The only customer data we maintain are email IDs, phone numbers, order details, and addresses so these are the details that could potentially have been accessed,” it added.
The news of the security breach comes at a time when BigBasket is reportedly in talks with Indian conglomerate Tata Group to sell up to 50% stake for USD 1 billion, which would give its Chinese backer and other early investors an exit.
BigBasket is not the only Indian consumer tech startup that has been targeted by hackers of late. Last month, WedMeGood, an Indian wedding planning website, became a victim as its 1.34 million customers’ information was exposed on the dark web, according to Cyble, which was tipped off about the leak through a Russian forum.
The same month, Cyble found a post that claimed to have possession of user data from Indian matrimony website Bharat Matrimony. Paytm Mall, the e-commerce arm of payment services giant Paytm, also suffered a breach, Cyble had revealed in an August blog post.
The cybersecurity firm was tipped off by an “alleged” ex-cartel member of a hacking group “John Wick”, infamous for breaking into and collected ransoms from multiple Indian companies including Zee5, SquareYards, Stashfin, Sumo Payroll, and e27. In August this year, Cyble also alleged that hackers were able to get a backdoor entry to Paytm Mall’s app and website, and secured unrestricted access to their entire databases. However, Paytm denied any such breach, and sent Cyble a legal notice threatening to initiate defamation proceedings against the cybersecurity company, local media Economic Times (ET) reported. Similarly, earlier in May, Cyble said edtech startup Unacademy was allegedly targeted by hackers in January 2020, which compromised 20 million user accounts.