BENGALURU: Mobile payments company MobiKwik on Tuesday denied accusations that data of its 3.5 million users have been leaked on the dark web. The denial comes after alerts and complaints surfaced on Twitter from security experts and users that their sensitive information including credit card details, Aadhar card numbers, phone numbers and KYC details were accessible on the dark web. MobiKwik CEO Bipin Preet Singh responded on Tuesday that the company will get a third party to conduct a forensic data security audit.
“For our users, we reiterate that all your MobiKwik accounts and balances are completely safe. All financially sensitive data is stored in encrypted form in our databases. No misuse of your wallet balance, credit card or debit card is possible without the one-time-password (OTP) that only comes to your mobile number. We strongly recommend that you do not try to open any darkweb/anonymous links as they could jeopardize your own cyber safety,” Singh said in a statement.
MobiKwik, which has been preparing to list on stock exchanges this year, also said that while the company is investigating this, it was entirely possible that any user could have uploaded her/his information on multiple platforms. “Hence, it is incorrect to suggest that the data available on the darkweb has been accessed from MobiKwik or any identified source,” it added.
A month ago, an internet researcher Rajshekhar Rajhari had put out a tweet alleging that 11 crore Indian card holders’ data had been stolen by hackers who had access to MobiKwik’s server since December 2020. He had added that these hackers were trying to sell the data on the dark web for over 1.5 bitcoins amounting to more than Rs 50 lakh.
Besides Rajaharia, a French cyber security specialist, Robert Baptiste, who tweets with the handle Elliot Anderson, termed the MobiKwik’s data breach as the biggest KYC leak in history. Many MobiKwik users also claimed on social media that they have seen their credit card details, phone numbers/email addresses available online via a viral link.
Kiran Jonnalagadda, co-founder of HasGeek, for instance, tweeted that the MobiKwik leak was real: “Here is what the dump had for me. One of those credit cards was valid until a couple weeks ago, and I don’t recall authorising MobiKwik to save it”.