BigBasket data breach over 20 million users sold on dark web
Online grocery platform BigBasket has faced a potential data breach, compromising personal details about over 20 million of its users, a report by US-based cybersecurity intelligence firm Cyble Inc has said.
“In the course of our routine Dark web monitoring, the Research team at Cyble found the database of Big Basket for sale in a cybercrime market, being sold for over $40,000. The leak contains a database portion; with the table name ‘member_member’. The size of the SQL file is ~ 15 GB, containing close to 20 Million user data. More specifically, this includes full names, email IDs, password hashes (potentially hashed OTPs), pin, contact numbers (mobile + phone), full addresses, date of birth, location, and IP addresses of login among many others,” Cyble said in the blog post.
The cybersecurity firm has also revealed the names of names and addresses of people exposed to the data leak. It said the financial data of the users is safe.
The stolen data is now being sold for $40,000 on the dark web, the report said, adding that details like names, email IDs, password hashes, PIN, contact numbers, addresses, dates of birth, location, among other details have been stolen by the hackers.
Meanwhile, BigBasket, which is based out of Bengaluru, has lodged a complaint with the city police’s cyber cell. The company, in a statement, has said it does not share financial data like credit card details with anyone.
BigBasket said it learned about the hack a few days ago. “We learned about a potential data breach at BigBasket and are evaluating the extent of the breach and authenticity of the claim in consultation with cybersecurity experts and finding immediate ways to contain it.”
“The customer data we maintain are email IDs, phone numbers, order details and addresses so there are details that could potentially have been accessed. We have a robust information security framework that employs best-in-class resources and technologies to manage our information,” the company said in a statement.
The company said it’ll continue to proactively engage with best-in-class information security experts to strengthen this further. Notably, when customers do online shopping details like debit and credit card details are stored with the company website to smoothen functioning in future.
Cyble, in its blog post, said the breach happened on October 31, and informed BigBasket about the possible data breach on November 1.