The data dump included mail IDs and phone numbers, data of 40 mn debit and credit cards, and 3.5 mn KYC logs
Gurugram-based digital payments firm MobiKwik denied it has suffered a data breach, despite several social media users finding their data on a massive data dump on the dark web, with the date on those entries matching the day they opened an account with the company.
Its denials came a day after unknown actors claimed they were selling Mobikwik’s data on the dark web and that this included 99 million mail IDs and phone numbers, data of 40 million saved debit and credit cards as well as know-your-customer (KYC) logs of 3.5 million users.
While the claims by purported hackers surfaced weeks ago, a searchable database of this data surfaced over the weekend, and several users posted on Twitter and other social media platforms on Tuesday that they were able to key in their mobile numbers and find their user data, including sensitive information such as credit card details, on the database. Many users pointed out that the date of entry in the database matched the day they received an onboarding email from Mobikwik.
The company said it was investigating the matter.
“Some users have reported that their data is visible on the dark web. While we are investigating this, it is entirely possible that any user could have uploaded her/ his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the dark web has been accessed from MobiKwik or any identified source," said MobiKwik in a blogpost on Tuesday.
MobiKwik also added that when the matter was first reported, last month, it undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach.
The data dump also includes images of merchants, PAN cards as well as other identity proofs, used by the company for digital KYC purposes.
The alleged leak comes as a setback for the company that is planning an initial public offering (IPO) of its shares in September this year. It was also aiming to raise $200-250 million as pre-IPO corpus, Bloomberg reported earlier this month.