BigBasket Data alleged to include more than 20 million users’ details, supposedly lost on the dark web

by -
Database alleged to include data from more than 20 million users supposed to be leaked on the Dark Web
BigBasket is one of most popular grocery delivery companies in India – BigBasket database has been supposedly running on the dark web for over 20 million customers, months after the data breach was confirmed on the online delivery platform. The data base supposed to have included the addresses of the customer in question, telephone numbers and hashed passwords. The data also contained the physical address of BigBasket users and the date of birth. While the free access database on the dark web contains user passwords in an encrypted form, another hacker claimed that some of the passwords that have passed were decrypted.

A hacker group known as ShinyHunters has placed the supposed BigBasket database on the dark web. Details like e-mail addresses, names, date of birth and phone numbers are included.

Rajshekhar Rajaharia of cyber security research, CSR told Gadgets 360 that the leaked database was associated with the violation confirmed in November last year byBigBasket itself.

April 26, 18.56pm update: Gadgets 360, which confirmed that November was indeed a leak, were reacted by BigBasket and the company also emphasized that changes have been made to its systems in order to eliminate all hijacked passwords and move instead to an OTP based mechanism, as a security measure. At the end of this article, the complete statement by BigBasket is included.

“A few days ago we learned about a possible breach of data in BigBasket and, in consultation with experts from the cybersecurity industry, assesses in detail the extent of the breach and the authenticity of the claim, and looks for immediate ways to contain it”.

The alleged BigBasket database was released by ShinyHunters over the weekend for download on the dark web. The customers concerned included hacked passwords. But some passwords are now also available in plain text on the dark Internet.

“Another hacker claims that millions of BigBasket-related passwords have been decrypted,” said Rajaharia. “An important problem could arise for the customer affected, as bad actors would gain access with decrypted passwords and leaking e-mail addresses to their personal web accounts.”

In the meantime, the Have I Been Pwned Web site – that informs users if the recent breaches affected their data have compromised – has emailed certain affected clients to notify them of the data leak.

BigBasket was founded in 2011 and is supported by China’s Alibaba and is a leading online food service platform. This pandemic contributed to the company’s business expansion and even attracted the Tata Group which decided to take a majority stake in February.

Update: BigBasket’s full statement:

This article/social media post is a reported infringement of data in November2020 and not a recent occurrence. The reason we know that the article does not mention the release of hazardous passwords in social media. All hashed passwords have been eliminated by us and some time back we have moved to a secure OTP authentication mechanism. In addition, no sensitive customer information like credit card details is collected or stored on our site. Customer data therefore remains safe and customers must not take further action.