Database consisting of 20 million BigBasket users leaked online
Indian firms continue to be targeted by cybercriminals. After the recent MobiKwik and Domino's India leaks, it's the turn of online grocery giant BigBasket. This isn't a fresh leak, as BigBasket had confirmed back in November 2020 that data belonging to 20 million users was sold for $40,000 in black markets. This treasure trove, however, is now allegedly out in the open.
Infamous threat actor "ShinyHunters" just leaked the database of "BigBasket, a famous Indian 🇮🇳 online grocery delivery service. (@bigbasket_com)
— Alon Gal (Under the Breach) (@UnderTheBreach) April 25, 2021
20,000,000+ clients affected and information such as emails, names, hashed passwords, birthdates and phone numbers were leaked. pic.twitter.com/tD5TMxNkH7
The BigBasket database was posted for universal access on a popular cyber-crime forum by a hacker collective known as ShinyHunters. The leaked data is the same as last time and includes email IDs, phone numbers, home addresses, hashed passwords, IP addresses, and date of birth. The group has been flooding hacker forums with databases spanning 11 companies and a massive 73.2 million user records.
Although BigBasket acknowledged the breach in early November, analysts at Cyble contend that the actual breach happened much earlier on October 14. Cyble itself discovered it on October 14 and informed BigBasket of the development on November 1. Interestingly, the breach came just weeks after Tata Group announced its plan to acquire BigBasket, which was then valued at $1.8 billion.
The risk exponentially increases whenever such databases are made public. Ideally all BigBasket users should have changed their passwords back then, but you can now use portals such as Have I been pwned to check if your account has been compromised. Entering your email address will reveal if you have been affected by the BigBasket leak. In reality, this affects all BigBasket users.
The worrying spate of Indian e-commerce entities being targeted by cybercriminals isn't surprising given the high-dollar valuations and acquisitions by Fortune 500 companies. Such publicity attracts professional hackers, who then target these companies. Hopefully, this will prompt more Indian businesses to shore up cybersecurity and take preemptive measures to secure databases. Until then, we are looking at baptism by fire for Indian cybersecurity professionals.
