Close Menu
    Facebook X (Twitter) Instagram
    • Home
    • About Us
    • Digital Subscription
    • Advertisement
    • Contact Us
    Facebook X (Twitter) Instagram
    The Tennessee TribuneThe Tennessee Tribune
    Advertise With Us
    • Home
      • COVID-19 Resource Center
        • Dr. Henry Louis Gates’ PSA Radio
      • Featured
    • News
      • State
      • Local
      • National/International News
      • Global
      • Business
        • Commentary
        • Finance
        • Local Business
      • Investigative Stories
        • Affordable Housing
        • DCS Investigation
        • Gentrification
    • Editorial
      • National Politics
      • Local News
      • Local Editorial
      • Political Editorial
      • Editorial Cartoons
      • Cycle of Shame
    • Community
      • History
      • Tennessee
        • Chattanooga
        • Clarksville
        • Knoxville
        • Memphis
      • Public Notices
      • Women
        • Let’s Talk with Ms. June
    • Education
      • College
        • American Baptist College
        • Belmont University
        • Fisk
        • HBCU
        • Meharry
        • MTSU
        • University of Tennessee
        • TSU
        • Vanderbilt
      • Elementary
      • High School
    • Lifestyle
      • Art
      • Auto
      • Tribune Travel
      • Entertainment
        • 5 Questions With
        • Books
        • Events
        • Film Review
        • Local Entertainment
      • Family
      • Food
        • Drinks
      • Health & Wellness
      • Home & Garden
      • Featured Books
    • Religion
      • National Religion
      • Local Religion
      • Obituaries
        • National Obituaries
        • Local Obituaries
      • Faith Commentary
    • Sports
      • MLB
        • Sounds
      • NBA
      • NCAA
      • NFL
        • Predators
        • Titans
      • NHL
      • Other Sports
      • Golf
      • Professional Sports
      • Sports Commentary
      • Metro Sports
    • Media
      • Video
      • Photo Galleries
      • Take 10
      • Trending With The Tribune
    • Classified
    • Obituaries
      • Local Obituaries
      • National Obituaries
    The Tennessee TribuneThe Tennessee Tribune
    National/International News

    MobiKwik Shifts Blame On Users For Data Breach That It Says Didn’t Happen

    zenger.newsBy zenger.newsApril 6, 2021No Comments8 Mins Read
    Facebook Twitter LinkedIn Telegram Pinterest Tumblr Reddit Email
    Share
    Facebook Twitter LinkedIn Pinterest Email
    Advertisement

    MUMBAI, India — Thirty-year-old internet security researcher Rajshekhar Rajaharia first learned about a data leak of India’s top three fintech companies on a database sharing marketplace on Feb. 24. The next day, he reached out to a hacker named Jordandaven on a Discord messaging group.

    “I went to the Discord group where the hacker had shared five sample files of this data dump,” Rajaharia told Zenger News.

    “Looking at the files and the database structure, I thought it might belong to MobiKwik. I informed MobiKwik and reached out to its chief executive Bipin Preet Singh on LinkedIn to ask him to investigate the matter.”

    MobiKwik is an Indian fintech company that was founded in 2009. It offers multiple ways to pay digitally for mobile phone recharges, bill payments, shopping in local stores, and even transferring money to bank accounts.

    The firm counts U.S. venture capital firm Sequoia Capital as one of its major investors. Within the Indian landscape, MobiKwik competes with Google’s payments service, Google Pay, Softbank and Alibaba-backed Paytm, and Accel-backed Juspay, among many others.

    According to various reports, MobiKwik is looking at an initial public offering this year and expects a valuation of over $1 billion.

    But right now, MobiKwik is in the eye of a storm as it has emerged that data of 110 million users — of the around 120 million users it has — has been leaked online through its servers.

    This data is available for sale on the dark web, an encrypted part of the web that cannot be searched or indexed by regular search engines. Due to its anonymous nature, the dark web is a playground for a lot of illegal activities.  Zenger News reached out to MobiKwik CEO Bipin Preet Singh but hasn’t got a response until now.

    As seen in the screenshot taken from dark web marketplace Raid Forums, a user named the ninja_storm said the MobiKwik data dump measures 8 terabytes. It contains email IDs, phone numbers, passwords, addresses, GPS location details, credit card details, and much more.

    Also present in the dump is KYC or know-your-customer details of around 3 million users registered with various merchants. In India, every bank or fintech app needs a customer to submit their KYC details, soft copies of any national ID like a passport and Aadhaar card number (an Indian equivalent of social security number).

    Rajaharia first tweeted about the breach on Feb. 26 and claimed that the hacker boasted of having access to the company servers since January 2021. He hadn’t named MobiKwik in his first tweet on the matter as he was awaiting a response from the firm.

    Rajaharia checked if his data was there in the leak. After confirming that, on Feb. 27, he named MobiKwik and alleged that the firm had taken down its press note regarding a 2010 breach.

    “On March 1, I found another bug on their site. I informed them about it. But they denied it and fixed it in the background. They removed the APIs to remove any evidence. Later the hacker had dropped a hint that the company, whose data they had, had been compromised in 2010 as well. I checked the news from 2010, and it turned out MobiKwik was compromised then as well — surprisingly, the firm deleted a blog post on their site about the 2010 hack,” said Rajaharia.

    “Twitter blocked my account on March 9 and March 31. My account was activated on March 9 after I deleted a tweet Twitter had asked me to. On March 31, my account was blocked for 12 hours, and the entity requesting the block was ‘One MobiKwik Systems Private Limited.”

    He has given a timeline of events from Feb. 24 to March 31 on his blog. To date, he has received no communication from MobiKwik.

    French security expert Robert Baptiste, who goes by the handle @fs0c131y on Twitter, also shared a screenshot of a tweet (originally posted on March 29). He had to delete it after receiving a takedown notice. Baptiste had confirmed the MobiKwik hack on the dark web forum where users can search if their details are present in the leaked database.

    “The hacker has since deleted the search engine,” Rajaharia said.

    By March 4, MobiKwik again denied any data breach and sent out a series of tweets discrediting Rajaharia without naming him. The firm also threatened legal action.

    “I haven’t got any legal notice yet, but they have threatened action,” said Rajaharia. “I might have to visit the court as the company is auditing itself. So far, they haven’t admitted to anything. I haven’t seen any government organization reprimanding MobiKwik, so I can’t be sure.”

    After multiple data breach reports showed up, MobiKwik said in a blog post shared on March 30 that the firm had done a thorough investigation with external security experts when the breach was first reported and found no evidence of any hack.

    Many users who discovered their details in the data dump claim that they have received no communication from MobiKwik.

    “My data has been breached online. However, I don’t know how and when it happened,” developer Prateek Pardeshi told Zenger News. He also tweeted screenshots of his redacted details on Twitter.

    Prasanth Sugathan, legal director, Software Freedom Law Centre, India, told Zenger News that entities must inform India Computer Emergency Response Team (CERT-In), a government nodal agency to deal with cybersecurity threats in such cases.

    “While the companies are required to adhere to Reserve Bank of India standards and the Sensitive Personal Data Rules, there are no requirements as of now to disclose data breaches publicly,” Sugathan told Zenger News. “However, under the IT Rules, 2021, and the IT (Indian Computer Emergency Response Team) Rules 2013, they are required to disclose breaches to CERT-in.”

    A post by a hacker claiming 8 terabytes of MobiKwik data available for sale on March 27, which confirmed Rajshekhar Rajaharia’s claims from a month ago. (ninja_storm)

    Rajaharia has been in touch with CERT-In, who had reached out to him after his tweet went viral. “I have been sharing all my screenshots as well as video documentary evidence with CERT-In and also with Reserve Bank of India, Payment Card Industry Data Security Standard, MasterCard, and Visa,” said Rajaharia.

    One paragraph in MobiKwik’s note stands out as it tends to hint that the users were to blame to some extent. “Some users have reported that their data is visible on the dark web. While we are investigating this, it is entirely possible that any user could have uploaded her/his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the dark web has been accessed from MobiKwik or any identified source,” the note states.

    Sugathan said that this kind of response amounts to shifting the blame on the users “who do not have control over data stored on the server-side.”

    Many organizations have requested CERT-In to investigate the matter.

    Free Software Movement of India sent a letter to CERT-In on March 30, asking for “investigation into this incident and update citizens on what has transpired at MobiKwik.”

    Apar Gupta, noted Indian cyber law expert and executive director of the digital liberties organization Internet Freedom Foundation, also sent a letter on March 31 to CERT-In.

    “MobiKwik’s denial, which shifts the blame on users, makes it necessary for your department to investigate this issue, given the size and impact on ordinary Indian users who are put at risk of several forms of harms including identity fraud,” noted Gupta in the letter.

    “They [users] can file a civil suit against MobiKwik, and also for violation of sensitive personal data rules,” said Sugathan.

    The Indian government has been eerily silent, considering this data leak is considered the largest KYC breach in India. When WhatsApp had announced privacy policy changes, the government quickly sent notices to the Facebook-owned company. There are reports of the Reserve Bank of India asking MobiKwik to probe its data breach.

    “It highlights a major issue that companies like MobiKwik can get away with such big violations due to lack of a robust regulatory framework on data protection,” said Sugathan.

    India’s Personal Data Protection Bill 2019 deals with data breach issues, but it has yet to become a law.

    Rajaharia has been pointing out instances of data breaches for services he uses.

    “The only good experience I have had was with Juspay, whose founder reached out to me and appreciated my findings. The company even created a group with me in it to help them in securing user data,” said Rajaharia.

    “But such cases are few and far between, and responses like MobiKwik are the norm.”

    (Edited by Amrita Das and Abinaya Vijayaraghavan. Map by Urvashi Makwana)



    The post MobiKwik Shifts Blame On Users For Data Breach That It Says Didn’t Happen appeared first on Zenger News.

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    zenger.news
    • Website

    Related Posts

    Emmett Till National Monument May Be Removed Under Trump Admin

    June 28, 2025

    Black Americans Face Unequal Burden as U.S. Inches Closer to War

    June 22, 2025

    Juneteenth! Freedom Day

    June 19, 2025

    Emmy-winning journalist launches Juneteenth series

    June 19, 2025

    Donald Trump is the first president in 116 years to not be invited to the NAACP convention

    June 16, 2025

    The Department of Education is Collecting Delinquent Student Loan Debt

    April 29, 2025

    Comments are closed.

    Business

    Charlotte Knight Griffin Takes Office as TBA President-Elect

    June 30, 2025

    EXCLUSIVE OP-ED: President Joe Biden Commemorating Juneteenth

    June 19, 2025

    FUNdraising Good Times Report from Neighborhoods USA Conference in Jacksonville

    June 4, 2025
    1 2 3 … 384 Next
    Education
    Education

    Austin Peay’s MPH program receives $27K for childhood literacy initiative. Community LIFT Project to be implemented at Head Start centers this fall

    By Ethan SteinquestJune 30, 2025

    CLARKSVILLE, Tenn. – Austin Peay State University’s Master of Public Health program is on a…

    TSU, State, reach agreement to reallocate $96M to school

    June 26, 2025

    TSU student lands prestigious internship at Harvard Medical School

    June 25, 2025

    FAMU stakeholders file lawsuit to prevent Marva Johnson’s confirmation as the university’s 13th President

    June 21, 2025
    The Tennessee Tribune
    Facebook X (Twitter) Instagram
    • About Us
    • Digital Subscription
    • Store
    • Advertise With Us
    • Contact
    © 2025 The Tennessee Tribune - Site Designed by No Regret Media.

    Type above and press Enter to search. Press Esc to cancel.

    Our Spring Sale Has Started

    You can see how this popup was set up in our step-by-step guide: https://wppopupmaker.com/guides/auto-opening-announcement-popups/