Bigbasket data breach case study – Hacker leak records of 20 million users on the dark web

The online grocery market witnessed significant upsurge in demand since March 2020 owing to the spread of the COVID-19 pandemic. Citizens across the world were asked to stay at home to break the chain of coronavirus spread. During this time, people shifted towards online grocery shopping to meet their daily need of supply for household goods and amenities. Several large market entities across the globe put in more effort and resource on delivering essential items at the consumer’s doorstep.

In India, since the lock down of 2020, BigBasket experienced significantly increased customer traffic and demand. However, the company has recently come to be in news for the wrong reason. In April 2021, personal information including names, contact numbers, home addresses, password hashes, date of birth, number of times ordered, and IP addresses of over 20 million users was leaked on the dark web. Further, if the hashed passwords are decrypted, this might result in serious privacy issues for the affected users.

The data is reportedly leaked by a hacker group that goes by the name “ShinyHunters”. The infamous hacker group is also known to be responsible for disclosing data of more than 73 million users. This is a combined number of over 11 different companies whose data was breached, through their activities. Furthermore, as per Cyble, a dark web and cyber crime monitoring company, they had reported a similar data breach to BigBasket in November 2020. In addition, Cyble also mentioned that the users’ data was up for sale for USD 40,000 on the dark web. In response to the news in November 2020, BigBasket released an official statement which said they had filed a complaint with the Cyber Police Cell of Bengaluru and had looked into the matter.

The company is addressing the more recent, April 2021 data breach news, by saying that “the ongoing social media post is in regard to the November 2020 data breach and has not happened recently”. As per the company, they know this is not the recent breach as the current social media article mentions leakage of hashed passwords and since then the company claims to have not shifted towards using OTP-based authentication system and has deleted all the hashed passwords from their system.

Nevertheless, users who want to confirm whether their personal data is compromised or not, they can use online portals such as “AMIBREACHED” or “haveIbeenpwned.com”. These portals allow a user to verify if his/her data has been compromised in any of the current or previous data breaches.

A recent update on BigBasket data breach is also notified to users when they land on the 'Have I Been Pwned" website. If users want to confirm, they can enter their registered email ids to know if their data has been compromised or not. Moreover, to ensure online safety, users should undertake the measures mentioned below:

• Changing passwords of all net banking accounts if a data beach has occurred

• Avoid using simple and repeated passwords or PINs for all accounts

• Download apps only from the official Apple App Store or Google Play Store

• Avoid trusting any suspicious message that suggests updating your application from any malicious or suspicious sources

• Be aware about phishing and other spam attacks