Digital wallet and payments company MobiKwik, on Monday, denied claims that sensitive data of millions of its users has been leaked. Independent cybersecurity researchers have alleged that a database containing KYC (know your customer) details of nearly 3.5 million users of MobiKwik is up for sale on the dark web.
First tweeted by independent cybersecurity researcher Rajshekhar Rajaharia and then by French researcher Elliot Alderson on Monday, the alleged breach includes 8.2TB of data containing users' phone numbers, emails, hashed passwords, addresses, bank accounts and card details.
Again!! 11 Crore Indian Cardholder's Cards Data Including personal details & KYC soft copy(PAN, Aadhar etc) allegedly leaked from a company's Server in India. 6 TB KYC Data and 350GB compressed mysql dump.@RBI @IndianCERT #InfoSec #dataprotection #Finance pic.twitter.com/yjc7davH3k
— Rajshekhar Rajaharia (@rajaharia) February 26, 2021
MobiKwik, however, vehemently denied any such breach. "Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organisation as well as members of the media," the company said in a statement.
"We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure," the company added.
MobiKwik said that the various sample text files that the researcher has been showcasing prove nothing, and anyone can create such text files to falsely harass any company. "Finally, our legal team will be pursuing strict action against this so-called researcher who is trying to malign our brand reputation for ulterior motives," the company said.
Alderson had tweeted: "Probably the largest KYC data leak in history."
Rajaharia had claimed earlier that "11 crore Indian cardholder's cards' data including personal details and KYC soft copy (PAN, Aadhaar, etc) allegedly leaked from the company's server in India".
According to the researchers, the entire database is available for 1.5 Bitcoin (nearly $84,000) on the dark web.
Bipin Preet Singh, CEO of MobiKwik, said that the company is closely working with requisite authorities, and is confident that security protocols to store sensitive data are robust and have not been breached. Considering the seriousness of the allegation, and by way of abundant caution, it will get a third party to conduct a forensic data security audit, he added.
“We reiterate that all your MobiKwik accounts and balances are completely safe. All financially sensitive data is stored in encrypted form in our databases,” Bipin Preet said.
A note to our users. pic.twitter.com/J3WRM0Ko8v
— Bipin Preet Singh (@BipinSingh) March 30, 2021
Meanwhile, Hasgeek co-founder, Kiran Jonnalagadda tweeted that the MobiKwik data leak is for real and showed a data dump to prove his point. “One of those credit cards was valid until a couple weeks ago, and I don't recall authorising MobiKwik to save it. Companies that lie ought to be taken to the cleaners,” he said.
The MobiKwik leak is real. Here is what the dump had for me. One of those credit cards was valid until a couple weeks ago, and I don't recall authorising MobiKwik to save it. Companies that lie like ought to be taken to the cleaners. https://t.co/sptyC1Jz8f pic.twitter.com/c4Uu25OviP
— Kiran Jonnalagadda (@jackerhack) March 29, 2021
Ashwin Mahesh, the founder of Mapunity and co-founder of India Together, tweeted that with the company denying reports of the data breach, it’s not clear what the public is supposed to do. He also pointed to utilities around the country that use MobiKwik for online payments but are keeping quiet.
Amidst reports of a large data breach at Mobikwik, the company is denying any leaks. It's not clear what the public is supposed to do. There are also utilities around the country which have signed up with Mobikwik for online payments, who are keeping very quiet :-)
— Ashwin Mahesh (@ashwinmahesh) March 30, 2021
Several users have also tweeted about the alleged MobiKwik data leak.
CHANGE YOUR PASSWORD NOW ⚠️
— Shobhit Sharma (@ScriptKKiddie) March 30, 2021
Even My Data was there in MobiKwik Biggest Ever Leak...#StaySafeOnline #Technical0812 #DataSecurity #databreach #dataleak #kyc #hacked #MobiKwik #mobikwikdatabreach #mobikwikdataleak pic.twitter.com/TNJ6H9zIEV
I found my personal info ,card details & address listed on a website which has leaked database of #mobikwik users. @MobiKwik
— Parth Deshpande (@IAmParthD) March 29, 2021
Pls take immediate action against this. #mobikwikdataleak@GoI_MeitY @rsprasad @Cyberdost @narendramodi @PMOIndia
My data on @MobiKwik has been breached and posted online.
— Prateek Pardeshi (@par_prateek) March 29, 2021
It includes my email, passwords, Bank Account details, Card details, phone number, Account Creation date, etc.#mobikwik #MobikwikDataLeak #DataLeak pic.twitter.com/49I4azGQ2u
I found my data in this leak including details like my Credit card number and password hash. Please check if your data has leaked and change password proactively!
— Abhishek Anand (@techieanand) March 30, 2021
This is the biggest data leak ever as per security researchers.@MobiKwikSWAT Please look into it.#MobikwikDataLeak https://t.co/eWV5BZvyzg
@MobiKwik how can you directly deny that there is no data leak???
— Vella Engineer (@engineer_vella) March 29, 2021
I have checked with 3 different accounts including mine, they have email, mobile number, card number.
You will have to give the answers.#mobikwik#MobikwikDataLeak
My data on @MobiKwik has been breached and posted online.
— Pawan kushwaha (@Pawanku56606502) March 29, 2021
It includes my email, passwords, Bank Account details, Card details, phone number, Account Creation date, etc.#mobikwik #MobikwikDataLeak #DataLeak #databreach pic.twitter.com/K34ETN2plV
The reports surfaced as MobiKwik last week raised $7.2 million in a funding round prior to its listing on the stock exchange, according to regulatory filings with the Ministry of Corporate Affairs. The company is reportedly planning an initial public offering (IPO) around September this year to raise $200-250 million.
According to Entrackr, MobiKwik's post-money valuation currently stands at $493 million with the latest funding round.
Steps to check if your MobiKwik data has been leaked or not
> First, you need to download the TOR browser.
> Copy and paste the following link in the browser: http://
> Now, enter your mobile number and click on Search.
How to protect yourself if your data has been leaked
> To change your account password, you can go to https://www.mobikwik.com/
> If you wish to withdraw any remaining balance in your wallet or transfer to your bank account, go to https://www.mobikwik.com/
> To deregister your UPI account from the website or mobile application, you can go to https://www.mobikwik.com/
> If you wish to remove any debit or credit cards linked to your account, go to https://www.mobikwik.com/
With IANS inputs