Online grocer Bigbasket may have suffered a massive data breach following which details of more than 20 million users may have been leaked on the dark web, said a US-based cybersecurity firm. Data worth $40,000 ( ₹30 lakh) was sold, the Atlanta-headquartered Cyble Inc’s research team found during routine dark web monitoring, it said in a blogpost on Saturday.
“The leak contains a database portion with the table name ‘member_member’. The size of the SQL file is ~ 15 GB, containing close to 20 million user data. More specifically, this includes full names, email IDs, password hashes (potentially hashed OTPs), pin, contact numbers (mobile plus phone), full addresses, date of birth, location, and IP addresses of login among many others,” said Cyble.
The alleged breach occurred on 14 October and Cyble detected the irregularities a fortnight later, according to the blogspot.
It was validated and shared on 1 November with the management of the Bengaluru-headquartered BigBasket, which has filed a case with the cyber crime cell in the city.
Bigbasket.com, which is run by Innovative Retail Concepts Pvt Ltd, is one of India’s largest online food and grocery store and is valued at $2 billion. The company is backed by Alibaba Group and Mirae Asset-Naver Asia Growth Fund, among others.
Bigbasket is evaluating the extent of the breach and authenticity of the claim with cybersecurity experts, besides finding ways to contain it, the online grocer said. “The privacy and confidentiality of our customers is our priority and we do not store any financial data, including credit card numbers, and are confident that this financial data is secure. The only customer data that we maintain are email ids, phone numbers, order details, and addresses so these are the details that could potentially have been accessed,” the company said.
Bigbasket has a robust information security framework that employs best-in-class resources and technologies to manage information, it said. “We will continue to proactively engage with best-in-class information security experts to strengthen this further,” it said.
The online retailer has more than 18,000 products and 1,000 brands in its catalogue and services customers in more than 20 cities across India.
The breach comes at a time when the lockdown to contain the spread of coronavirus encouraged more people to shop online for essentials such as grocery. However, online activity increased the threat of phishing attacks, though there has been no sharp spike in cyber crime activity, Bengaluru police said.
In June, delivery startup Dunzo had experienced a data breach in which the personal details of more than 300,000 accounts were leaked.
