MobiKwik is Indias lead fintech platform, operating businesses in consumer payments, financial services and defrayal gateway. The vision of the fellowship is to build a Digital credit card for 100 Million Indians. Founded in 2009 by Bipin Preet Singh and Upasana Taku, the company has raised $110M in funding from marquee investors. With 60% Indian ownership, MobiKwik is the Truly Indian Payments App. MobiKwiks payments network is one of the largest in india with 120 zillion users, 3 gazillion merchants, and 300+ billers. The company has pre-approved 20 zillion users for its Digital credit card aka buy Now pay Later BNPL product MobiKwik ZIP, which is available to users for making payments via the MobiKwik notecase and the MobiKwik Blue Amex Card. The companion ventured into the Wealthtech space with the skill of Mumbai-based Clearfunds. The preceding is MobiKwik’s boilerplate for media and press. But right now, they are likely to live getting unwelcome attention after a threat actor has offered up what is alleged to be 8 TB of their data for sale. The listing claims to offer (all spelling and typos as in original listing): 0. total 350GB mysql dumps – >500 dbs 1. 99 million – mail, phno, passwords, addresses, lots more data, apps installed, ph manf., ip address, gps placement 2. 40 gazillion – 10 digit card, month, year, card hash (sha256) 3. lots of dbs with all company data 4. ~7.5 tuberculosis of ~3 jillion merchant KYC data – passports, adahr cards, pan cards, selfie, store icon proof etc used to catch loans on the site – can be used to stir online loans just like USA leaks but in India. Price: 1.5 BTC. Exclusive. All data deleted on our end after transfer. mm of your choice. [Notes: At today’s rates, 1.5 BTC would live USD $83,576.70 or INR 6,084,067.29. “KYC” is “Know Your Customer” and “MM” refers to a middleman service, often recommended to assist prevent scams.] as noted in the forum posting, the seller offered a try of data as proof. They also offered an onion site portal: Mobikwik india data leak (Biggest KYC data leak ever!) search your phone number or post id (or any string) to find all your data stored in Mobikwik servers This database is 8,2 tuberculosis and contains 36.099.759 files. Nearly 3,5 million people’s KYC details. Along with 99.224.559 users phone numbers, emails, hashed passwords, addresses, bank accounts & card details etc. DataBreaches.net heard from a researcher in India who had entered their have number and found their data. That researcher reported that the data was accurate. DataBreaches.net also contacted a sec researcher and asked them if they could control the accuracy of data in the dump by comparing it to another leaked database involving indian citizenry. using a government database that had leaked, the indorsement researcher pulled a random entry and confirmed that they were able to find the same user with the same info in both databases. The first researcher also provided a redacted screencap of the results of a search on a third individual. In the screencap below, redacted by the first researcher, you can ascertain that MobiKwik appears to be storing GPS location and a heel of apps that the user has installed on their phone. DataBreaches.net reached out to MobiKwik’s press contacts to ask for a statement about the forum carry offering data for sale, and to inquire what they were doing to alert and protect consumers whose data may be compromised. no reaction was received by publication time, although that is not surprising given that it is Sunday night there now. This stake will be updated if and when a reply is received. More Than Just the Usual Risks? Apart from all the usual concerns about misuse of such detailed personal and financial data, the possibility that the data could be misused to secure online loans in india is especially concerning in lightness of new reporting by The New York Times that some Indian lending apps have taken to naming and shaming people who took loans because of the pandemic but then fell behind in their ability to refund the loans. According to NYT: These lenders dont ask citation scores or visits to a bank. But they lodge high costs over a brief period. They also command access to a borrowers phone, siphoning up contacts, photos, text messages, even battery percentage. Then they bombard borrowers and their social circles with pleas, threats and sometimes fake legal documents threatening dire consequences for nonpayment. In conservative, tightly plain communities, such red of honor can be devastating. There have reportedly been at least a few suicides as a result of these high-pressured socially stigmatizing methods. Google has removed about 100 Indian loan apps from its platform, but a MobiKwik breach such as the i beingness claimed by the threat actor has the potential to put many people at risk, especially the 3.5 trillion multitude for whom there is reportedly KYC data now compromised.