India’s largest online grocery platform, Bigbasket, faced a massive data breach recently – potentially exposing personal details of over 20 million users. Detected by cybersecurity firm Cyble’s research team, the database containing this leaked information is on sale for $40,000 on the dark web.
While Bigbasket has reported this to Bengaluru Cyber Cell, the authenticity of the incident is being verified internally. Detected by Cyble on October 30, 2020, the breach allegedly occurred on October 14, 2020 and was validated by Cyble on October 31, 2020.
The database reportedly contains a table named “member_member”, consisting of details such as names, email IDs, password hashes, pins, contact numbers, addresses, dates of birth, locations and IP addresses.
“In the course of our routine Dark web monitoring, the Research team at Cyble found the database of Big Basket for sale in a cyber-crime market, being sold for over $40,000. The leak contains a database portion; with the table name ‘member_member’.
The size of the SQL file is ~ 15 GB, containing close to 20 Million user data. More specifically, this includes full names, email IDs, password hashes (potentially hashed OTPs), pin, contact numbers (mobile + phone), full addresses, date of birth, location, and IP addresses of login among many others. “, Cyble stated in its blog.
Bigbasket responded to the situation by stating that it is evaluating the extent of the potential breach and the authenticity of the claim, and that it is finding ways to contain it immediately.
“We have also lodged a complaint with the Cyber Crime Cell in Bengaluru and intend to pursue this vigorously to bring the culprits to book.”, it added.
Strictly maintaining that user privacy and confidentiality is of the highest priority, Bigbasket said that it uses one-time passwords sent via SMS for user verification, instead of storing passwords. Financial data, such as payment methods, are not stored and are therefore secure.
“The only customer data that we maintain are email IDs, phone numbers, order details, and addresses so these are the details that could potentially have been accessed. We have a robust information security framework that employs best-in-class resources and technologies to manage our information. We will continue to proactively engage with best-in-class information security experts to strengthen this further”, Bigbasket stated.
Funded by 17 investors including Alibaba Group, Trifecta Captial Advisors, and CDC Group, this Bengaluru-based online food and grocery delivery startup was informed about the breach on November 01, 2020.