MobiKwik says no data breach even as users share ‘evidence' on Twitter

Gurugram-based fintech startup MobiKwik has discovered itself on the receiving finish of some offended customers on Twitter for allegedly hiding a knowledge breach involving over 10 crore customers. MobiKwik on March 4 has denied allegations of a reported knowledge breach and claimed that “a media-crazed so-called security researcher” reported a false case of cybersecurity to seize media consideration. The corporate had additionally assured that consumer knowledge was safe and there have been no safety lapses at their finish.
Virtually a month later, MobiKwik has issued one other assertion and stated that the corporate is investigating this…and it'll get a 3rd celebration to conduct a forensic knowledge safety audit.” This improvement comes after customers began to put up screenshots of textual content information revealing consumer particulars.
So far as the “so-called security researcher” is worried, his identify is Rajshekhar Rajaharia and he was among the many first to inform MobiKwik in regards to the safety breach. He claimed that the corporate didn't reply to him initially. He says that it was solely after his tweet went viral that the corporate issued a press release denying the safety breach declare on March 4.

What consumer particulars could have gotten leaked
As per the breached knowledge, consumer particulars that will have leaked embrace: identify, cellphone quantity, hashed passwords, checking account particulars, tackle, e mail ID, photograph, Aadhaar knowledge, passport knowledge, different apps put in on the cellphone and extra.

The safety researcher’s model of the story
In an interplay with The Occasions of India–GadgetsNow, Rajaharia stated, “On February 25, a hacker on dark web forum (Raid Forum) claimed that he was in possession of all the user data of one of the top 3 fintech startups in India. The hacker did not mention the name of the company. The reason why the hacker did not disclose the name of the company that got breached is because he wanted to make some money. Later he created a group on Discord and started to share details as evidence of the breach. Through his sample data, I guessed it belonged to MobiKwik.”
“When I tried to confirm with the hacker that whether this data actually belonged to MobiKwik or not, he did not confirm and said that the data downloading process was still ongoing. This is when I thought of informing MobiKwik about a potential breach,” he stated.
Rajaharia had knowledgeable MobiKwik by way of Twitter and LinkedIn, on March 1, about the potential for a breach. He didn't obtain any official response from the corporate. He claims to have emailed the founding father of MobiKwik about the identical however there wasn’t any response.
Rajaharia, claimed that after alerting MobiKwik, the hacker by way of a put up stated that “he lost link with the company servers and all the data got corrupted”.

“Soon after that MobiKwik removed the email option from signup form so that no one can match leaked emails with its server,” he added.
Later, Rajaharia stated that he himself reported a bug in MobiKwik’s platform after a few days. “They denied the existence of the bug and fixed it on their end,” he claimed.

His posts on each LinkedIn and Twitter showcasing the bug have been deleted by the respective platforms for “violation of policies”. Although it's not clear why each Twitter and LinkedIn took down his posts, one motive could possibly be as a result of him posting non-public particulars of customers.

“The team at MobiKwik was so confident that the breached data was only with one hacker that they publicly denied the breach altogether after the hacker said that he lost the data as it got corrupted,” he added.
Nonetheless, that’s not the case as per Rajaharia and he claims that knowledge of all MobiKwik customers remains to be out there and there’s even a search engine made for a similar. Via his search engine, anybody can search and get private particulars of customers.
How the ‘search engine’ fuelled #MobikwikDataBreach development on Twitter
After the search engine was created, folks used it to search out private particulars of MobiKwik customers by looking the database with e mail ID. As soon as they bought a match, a number of customers claimed that the info was correct and certainly sourced from MobiKwik. A few of these customers shared screenshots of leaked private particulars and posted on Twitter. Quickly, “#MobikwikDataBreach” began trending on Twitter. This appears to have made the corporate launch a press release.
The Occasions of India–GadgetsNow independently accessed the search engine and might verify its existence. This search engine will be accessed solely by way of the Tor browser.

MobiKwik’s newest official assertion on the info breach incident
“…Some users have reported that their data is visible on the darkweb. While we are investigating this, it is entirely possible that any user could have uploaded her/ his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the darkweb has been accessed from MobiKwik or any identified source.
When this matter was first reported last month, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach. The company is closely working with requisite authorities, and is confident that security protocols to store sensitive data are robust and have not been breached. Considering the seriousness of the allegations, and by way of abundant caution, it will get a third party to conduct a forensic data security audit.
For our users, we reiterate that all your MobiKwik accounts and balances are completely safe. All financially sensitive data is stored in encrypted form in our databases. No misuse of your wallet balance, credit card or debit card is possible without the one-time-password (OTP) that only comes to your mobile number. We strongly recommend that you do not try to open any dark web/anonymous links as they could jeopardize your own cyber safety.”