Online grocery platform BigBasket has become the latest target of a cyberattack in India. The company recently faced a potential data breach with the information of over 2 crore users on the darkweb for sale, revealed US-based cybersecurity firm Cyble.
The entire database was available for sale for US$40,000 on the darkweb. The data included full names, email IDs, password hashes (potentially hashed OTPs), PIN, contact numbers, addresses, date of birth, location and IP address of login among a host of other information, a Cyble blogpost reveals.
Notably, the Bengaluru-based company has lodged a complaint with the cybercrime cell and is ascertaining the extent of the breach as claimed by cyber experts.
What did Cycble say?
Cyble, in its blog, said: “In the course of our routine dark web monitoring, the research team at Cyble found the database of Big Basket for sale in a cybercrime market, being sold for over USD 40,000. The leak contains a database portion; with the table name ‘member_member’. The size of the SQL file is about 15 GB, containing close to 20 million user data.”
While Cyble has mentioned “passwords”, the company uses a one-time password sent through SMS which keeps on changing every time a user logs in.
Cyble claimed that the breach occurred on October 14, 2020, and it has already informed the management of BigBasket about it.
The cyber intelligence firm said on October 31 that Cyble validated the breach through “validation of the leaked data with BigBasket users/information”, and on November 1, “Cyble disclosed the breach to BigBasket management”.
What did BigBasket say?
The company said: “A few days ago, we learnt about a potential data breach at BigBasket and are evaluating the extent of the breach and authenticity of the claim in consultation with cybersecurity experts and finding immediate ways to contain it. We have also lodged a complaint with the Cyber Crime Cell in Bengaluru and intend to pursue this vigorously to bring the culprits to book.”
The company added that the privacy and confidentiality of customers is priority and it does not store any financial data including credit card numbers, etc. and is confident that this financial data is secure.
“The only customer data that we maintain are email IDs, phone numbers, order details, and addresses so these are the details that could potentially have been accessed. We have a robust information security framework that employs best-in-class resources and technologies to manage our information. We will continue to proactively engage with best-in-class information security experts to strengthen this further,” BigBasket said.
Timeline of events
According to Cyble, the following is the timeline of events:
Oct 14: The alleged breach occurred (screenshot below)
Oct 30: Cyble detected the breach
Oct 31: Cyble validated the breach through validation of the leaked data with BigBasket users/information
Nov 1: Cyble disclosed the breach to BigBasket management
Nov 7: Public disclosure.
To read the latest news in Gujarati click here