20 million Bigbasket user records available on the dark web

Bigbasket, a prominent online grocery store in India, allegedly suffered a data breach, details of over 20 million people available in the darkweb.

Grocery e-commerce website Bigbasket has allegedly suffered a data breach, according to cyber intelligence firm Cyble, the details of over 20 million people available in the darkweb.

BigBasket was founded by Alibaba Group, Mirae Asset-Naver Asia Growth Fund, and the CDC group, it has over 18,000 products from over 1000 brands in its listing. 

“Recently, Big Basket, India’s leading online food and grocery store, became victim to a data breach.” reported Cyble.

While the COVID-19 pandemic continues to spread worldwide, online shopping is becoming very important for users, and such kind of incidents is exposing millions of users to the risk of hack.

Online stores manage both personal and financial details of their customers to allow them to easily purchase the products and receive them at their home.

In routine Dark web monitoring activity, the Cyber research team spotted a threat actor offering the database of BigBasket for sale in a cyber-crime market. The archive is 15 GB in size and contains 20 million user records, it is being sold for over $40,000.

The database includes names, email IDs, password hashes (potentially hashed OTPs), contact numbers (mobile + phone), addresses, date of birth, location, and IP addresses of login among many others. 

Cyble notifies the company’s management team of the leak and they are currently working towards a disclosure process. 

Below the timeline of the alleged data breach:

• Oct 14, 2020 – The alleged breach occurred (screenshot below)
• Oct 30, 2020 – Cyble detected the breach
• Oct 31, 2020 – Cyble validated the breach through validation of the leaked data with BigBasket users/information
• Nov 1, 2020 – Cyble disclosed the breach to BigBasket management
• Nov 7, 2020 – Public disclosure.

The company has filed a police complaint in this regard with Cyber Crime Cell in Bengaluru and is investigating the alleged incident.

“Cyble is disclosing the alleged data leak in the interest of the population impacted.” concludes Cyble.

People who want to check if their information has been exposed in this data breach and other incidents can register on Cyble’s data breach monitoring and notification platform, AmiBreached.com.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, BigBasket)

[adrotate banner=”5″]

[adrotate banner=”13″]