BigBasket database of over 20 million customers has allegedly been leaked on the dark Web, months after the online grocery delivery platform confirmed a data breach. The alleged database includes the email addresses, phone numbers, and hashed passwords of the affected customers. The data also allegedly carries physical addresses and date of birth of BigBasket users. Although the database that is available for free access on the dark Web includes user passwords in an encrypted form, another hacker has claimed to have decrypted some of the leaked passwords.
The alleged BigBasket database has been put on the dark Web by a hacker group infamously known as ShinyHunters. It includes details such as the email addresses, names, date of birth, and phone numbers.
Infamous threat actor “ShinyHunters” just leaked the database of “BigBasket, a famous Indian ???????? online grocery delivery service. (@bigbasket_com)
20,000,000+ clients affected and information such as emails, names, hashed passwords, birthdates and phone numbers were leaked. pic.twitter.com/tD5TMxNkH7
— Alon Gal (Under the Breach) (@UnderTheBreach) April 25, 2021
Cyber-security researcher Rajshekhar Rajaharia told Gadgets 360 that the leaked database is associated with the breach that BigBasket itself confirmed in November last year.
Update April 26, 6.56pm: BigBasket has responded to Gadgets 360 to confirm that this is indeed the November leak, and the company also highlighted that it has made changes to its systems to eliminate all hashed passwords, moving to an OTP-based mechanism instead, as a security measure. BigBasket’s full statement is included at the end of this article.
“A few days ago, we learnt about a potential data breach at BigBasket and are evaluating the extent of the breach and authenticity of the claim in consultation with cybersecurity experts and finding immediate ways to contain it,” the company had said while confirming the data breach that was made public by cybersecurity intelligence firm Cyble.
ShinyHunters made the alleged BigBasket database available for download on the dark Web over the weekend. It included hashed passwords of the affected customers. However, some passwords in plain text are now also put on sale on the dark Web.
“Another hacker is claiming to have decrypted millions of passwords associated with BigBasket,” said Rajaharia. “This could lead to a serious problem for the affected customers as bad actors would gain access to their personal Web accounts using the decrypted passwords and leaked email addresses.”
Meanwhile, the website Have I Been Pwned? — that informs users on whether their data has been compromised by any recent breaches — has sent an email to notify some affected customers about the data leak.
Founded in 2011, BigBasket is backed by China’s Alibaba and is one of the leading platforms for delivering groceries online. The pandemic helped the company expand its business and even attract conglomerate Tata Group that in February agreed to acquire a majority stake in the company.
Update: Full statement from BigBasket:
This article / social media post refers to an alleged data breach in Nov-2020 and not something that has happened recently. The reason we know it’s not recent is that the article /social media post mentions the release of hashed passwords. We had eliminated all hashed passwords from our system and moved to a secure OTP-based authentication mechanism quite some time back. Also, our site does not collect or store any sensitive personal data of customers like credit card details. So customer data continues to be safe and no further action needs to be taken by customers.
Why did LG give up on its smartphone business? We discussed this on Orbital, the Gadgets 360 podcast. Later (starting at 22:00), we talk about the new co-op RPG shooter Outriders. Orbital is available on Apple Podcasts, Google Podcasts, Spotify, and wherever you get your podcasts.