Data Of Over 10 Million Users From 3 Companies Up For Sale On The Dark Web

This could be the worst nightmare coming true for those who depend too much on the internet for financial activities. Data of crores is on sale on the dark web. A research by cybersecurity expert, Rajshekhar Rajahria has found that database belonging to several Indian companies is being sold right now.

Rajaharia who first brought to light the sensational JusPay hacking, says that at least three Indian companies whose data has been compromised include e-marketplace ClickIndia, fintech startup for small business owners ChqBook and wedding planning website WedMeGood.

“Nearly 80 lakh users of ClickIndia (name, email, mobile and other personal details), 10 lakh users of ChqBook (name, email, mobile, full address and other personal details) and 13 lakh users of WedMeGood (name, email, hashed password, other sensitive personal information),” said Rajaharia.

Just like JusPay, these three companies didn’t tell the users about the data breach, claimed the security researcher.

The names of the three Indian companies were first reported by Bleeping Computer website, saying that a “Data breach broker is selling the allegedly stolen user records for 26 companies on a hacker forum.”

ChqBook denied the attack while the other two companies were yet to react to this report.

The420.in had earlier reported about massive data leak at Gurgaon based wedding planning website – WedMeGood.

Also Read: Data of 1.34 Million Users of Gurgaon Based Wedding Planner Leaked Online

Such incidents leaves a negative impression over the digital payment platforms, said Sonit Jain CEO of Gajshield Infotech.

“Simple data like email ID and phone number which may not look sensitive can turn out to be lethal means of financial fraud at personal level, if fallen in wrong hands,” Jain said.

Rajaharia said that the hacker is the same person who leaked BigBasket data. One of India’s popular online grocery stores BigBasket, found that its data of over 20 million users had been hacked and were on sale on the dark web for over $40,000.

“All our customers were secure from any kind of risk. Our priority was to inform the merchants and as a measure of abundant precaution, they were issued fresh API keys though it was later verified that even the API keys in use were safe,” Juspay said

Rajharia said that the same hacker group was asking around $10,000 in cryptocurrency (Bitcoin) for the Big basket database along with three companies’ databases.

“There is a strong connection between all these recent data leaks, including BigBasket,” he added.

Though the alleged breach took place on October 14, 2020, it was detected on October 30, validated on October 31 and BigBasket was informed on November 1 claimed US-based third-party cyber intelligence firm Cyble in its official blog.

The user database was estimated to be around 20 million, with names, email ids, password hashes, pin, contact numbers, addresses, date of birth, location and IP addresses of login.

About 3.5 crore records with masked card data and card fingerprint were compromised by the hacker and the claim of 10 crore cardholders’ data being affected is “incorrect,” said JusPay on Tuesday.