Indian payment services provider MobiKwik continues to deny reports of a massive security breach impacting millions of customers, despite multiple independent cybersecurity researchers claiming otherwise.
Earlier this month, the company took to Twitter to accuse “a media-crazed so-called security researcher” of falsely reporting it had been subject to a security breach. MobiKwik claimed at the time that its user and company data was “completely safe and secure”.
A media-crazed so-called security researcher has repeatedly over the last week presented concocted files wasting precious time of our organization while desperately trying to grab media attention.We thoroughly investigated his allegations and did not find any security lapses. 1/n
— MobiKwik (@MobiKwik) March 4, 2021
Additionally, the company said that “The various sample text files that he has been showcasing prove nothing. Anyone can create such text files to falsely harass any company.”
On March 29th, however, reports claimed that the details of 3.5 million MobiKwik users, summing 8.2 TB of data records, were leaked on underground marketplace RaidForums.
A user posting under the name of ‘ninja_storm’ claimed to have 8.2 TB of data that had been exfiltrated from the Indian company, including customers’ payment card details, names, and addresses, as well as user email addresses, phone numbers, passwords to installed mobile apps, IP addresses, and GPS locations.
According to ninja_storm, there are potentially 10 million KYC (Know Your Customer) records included in the breached database.
Yesterday, MobiKwik maintained their previous statement, once again denying that the data breach ever happened and saying that customers who found their data exposed on the dark web might’ve uploaded the data themselves.
The company said that external security experts found no evidence of a data breach following a thorough investigation since the breach was first reported by security researcher Rajshekhar Rajaharia on March 1st.
Some users have reported that their data is visible on the darkweb. While we are investigating this, it is entirely possible that any user could have uploaded her/ his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the darkweb has been accessed from MobiKwik or any identified source. When this matter was first reported last month, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach.
This wouldn’t be the first time MobiKwik suffers a data breach. Back in 2010, the company was the victim of a leak after hackers gained access to some of its servers and sent emails offering to sell confidential information belonging to MobiKwik users.
The payment services provider announced it will hire third-party experts for a security audit.