BENGALURU: Mobile payment firm MobiKwik denied accusations of a data leak of its 3.5 million users after complaints surfaced on Twitter by security experts and others that their sensitive information including credit card details, Aadhaar card numbers, phone numbers and KYC details were accessible on the dark web.
MobiKwik CEO Bipin Preet Singh clarified on Tuesday that in response to the accusations, the company will get a third party to conduct a forensic data security audit.
“For our users, we reiterate that all your MobiKwik accounts and balances are completely safe. All financially sensitive data is stored in encrypted form in our databases. No misuse of your wallet balance, credit card or debit card is possible without the one-time-password (OTP) that only comes to your mobile number. We strongly recommend that you do not try to open any darkweb/anonymous links as they could jeopardize your own cyber safety,” Singh said in a statement.
A month ago, an internet researcher, Rajshekhar Rajhari, put out a tweet alleging that 11 crore Indian card holders’s data was stolen by hackers who had access to MobiKwik’s server since December 2020. He added that the hackers are trying to sell the data on the dark web for over 1.5 bitcoins amounting to more than Rs 50 lakhs.
Besides Rajaharia, a French cyber security specialist, Robert Baptiste, who tweets with the handle Elliot Anderson termed MobiKwik’s data breach as the biggest KYC leak in the history.
Many MobiKwik users also claimed to have seen their credit card details, phone numbers/email addresses online by clicking on a link which had gone viral.
Kiran Jonalagadda, co-founder of HasGeek, said that the MobiKwik leak is real. “Here is what the dump had for me. One of those credit cards was valid until a couple weeks ago, and I don't recall authorising MobiKwik to save it. Companies that lie ought to be taken to the cleaners,” he tweeted.
MobiKwik, which is preparing to list on stock exchanges this year, said while the company is investigating this, it is entirely possible that any user could have uploaded her/his information on multiple platforms. “Hence, it is incorrect to suggest that the data available on the dark web has been accessed from MobiKwik or any identified source,” it added.