A researcher said data of 11 crore Indians, which included information from KYC (Know-Your-Customer) forms, unmasked card numbers and other personal details, had been leaked from a Mobikwik server
NEW DELHI: Payments app Mobikwik is facing backlash from users after the company allegedly tried to ignore a possible data leak. It all began late last month, when security research Rajshekhar Rajaharia exposed the data leak on Twitter. The researcher said data of 11 crore Indians, which included information from KYC (Know-Your-Customer) forms, unmasked card numbers and other personal details, had been leaked from a Mobikwik server. The researcher named Mobikwik in a series of tweets, adding that hacker(s) had access to the company’s data since January 2021.
However, Mobikwik denied the leak via a tweet on March 4. “A media-crazed so-called security researcher has repeatedly over the last week presented concocted files wasting precious time of our organisation while desperately trying to grab media attention. We thoroughly investigated his allegations and did not find any security lapses," the company said in its tweet. The company also said it will be pursuing “strict action" against the researcher and claimed that the data he showed proved nothing.
This though, may have been false, as other security researchers started jumping in with their thoughts. On March 29, prolific security researcher Robert Baptiste (who goes by Elliot Alderson on Twitter) confirmed the leak, crediting a third security researcher for the tip. Alderson said this was probably the “largest KYC leak in history".
Alderson’s tweet was followed by many others, who criticized Mobikwik for its reaction to the leaks. “The MobiKwik leak is real. Here is what the dump had for me. One of those credit cards was valid until a couple weeks ago, and I don't recall authorising MobiKwik to save it. Companies that lie like (this) ought to be taken to the cleaners," wrote Kiran Jonalaggada, founder of HasGeek in a tweet.
Australian security consultant Troy Hunt, who created the website haveIbeenpwned.com, also called the company out for its reaction. “Never *ever* behave like @MobiKwik has in this thread from 25 days ago. Try Googling “mobikwik data breach" now," said Hunt.