The alleged hack has left millions of users’ personal data — including passwords and addresses — available for 1.5 BTC on the dark web.
As much as 8.2 terabytes of personal information data has allegedly leaked from users of India-based MobiKwik mobile payment’s wallet application and onto the dark web, according to a report from India Times.
A white hacker who highlighted the breach called it “probably the largest KYC data leak in history,” per India Times.
The leak apparently includes ID scans, passports, emails, phone numbers and addresses, and is currently for sale on hacking forums for 1.5 BTC, per the report. Reporting entity Technadu lists the assets for sale as:
“The seller lists the following as included in the massive pack:
- Total 350GB MySQL dumps – > 500 databases
- 99 million – mail, phone, passwords, addresses, lots more data, apps installed, ph manf., IP address, GPS location
- 40 million – 10 digit card, month, year, card hash (sha256)
- lots of databases with all company data
- ~7.5 TB of ~3 million Merchant KYC data – passports, Aadhar cards, pan cards, selfie, store picture proof, etc., used to get loans on the site.”
Upon entry of email addresses or phone numbers, the portal returns valid user information, per Technadu.
MobiKwik has since denied the claim, stating, “Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure,” Technadu reported.
Regardless, the alleged leak highlights the importance of avoiding centralized databases which store user data. These are massive targets representative of extremely powerful access to personal information, and will always be points of attack for hackers. The avoidance of KYC collection is emphasized by many within the Bitcoin community as there are no third parties who ensure bitcoin funds or their owners are protected, so circumventing these targets is paramount.
Although this may seem to come from an overabundance of caution, the alleged MobiKwik hack clearly demonstrates the value behind following privacy practices.