Database consisting of 20 million BigBasket users leaked online

By Nachiket Mhatre

Apr 27, 2021

12:43 am

What's the story

Indian firms continue to be targeted by cybercriminals. After the recent MobiKwik and Domino's India leaks, it's the turn of online grocery giant BigBasket. This isn't a fresh leak, as BigBasket had confirmed back in November 2020 that data belonging to 20 million users was sold for $40,000 in black markets. This treasure trove, however, is now allegedly out in the open.

Twitter Post

Security researcher Alon Gal calls attention to public data dump

Infamous threat actor "ShinyHunters" just leaked the database of "BigBasket, a famous Indian 🇮🇳 online grocery delivery service. (@bigbasket_com)

20,000,000+ clients affected and information such as emails, names, hashed passwords, birthdates and phone numbers were leaked. pic.twitter.com/tD5TMxNkH7

— Alon Gal (Under the Breach) (@UnderTheBreach) April 25, 2021

Repeat offenders

Massive database was posted for public access on popular forum

The BigBasket database was posted for universal access on a popular cyber-crime forum by a hacker collective known as ShinyHunters. The leaked data is the same as last time and includes email IDs, phone numbers, home addresses, hashed passwords, IP addresses, and date of birth. The group has been flooding hacker forums with databases spanning 11 companies and a massive 73.2 million user records.

Recycled

BigBasket database was breached in October last year

Although BigBasket acknowledged the breach in early November, analysts at Cyble contend that the actual breach happened much earlier on October 14. Cyble itself discovered it on October 14 and informed BigBasket of the development on November 1. Interestingly, the breach came just weeks after Tata Group announced its plan to acquire BigBasket, which was then valued at $1.8 billion.

Due diligence

Here's how you can check if you have been compromised

The risk exponentially increases whenever such databases are made public. Ideally all BigBasket users should have changed their passwords back then, but you can now use portals such as Have I been pwned to check if your account has been compromised. Entering your email address will reveal if you have been affected by the BigBasket leak. In reality, this affects all BigBasket users.

Baptism by fire

Expect cyberattacks on Indian firms to intensify

The worrying spate of Indian e-commerce entities being targeted by cybercriminals isn't surprising given the high-dollar valuations and acquisitions by Fortune 500 companies. Such publicity attracts professional hackers, who then target these companies. Hopefully, this will prompt more Indian businesses to shore up cybersecurity and take preemptive measures to secure databases. Until then, we are looking at baptism by fire for Indian cybersecurity professionals.