One of the largest grocery e-commerce platforms in India, BigBasket, has reportedly faced a data breach as a cyber intelligence firm, Cyble reports that data from almost 20 million (2 crores) users was put on for sale on the dark web. The intelligence claims that the hacker demanded Rs 30 lakhs in return for the data belonging to BigBasket’s users.
Cyble said on its blog, “In the course of our routine Dark web monitoring, the Research team at Cyble found the database of Big Basket for sale in a cyber-crime market, being sold for over $40,000. The leak contains a database portion; with the table name ‘member_member’. The size of the SQL file is ~ 15 GB, containing close to 20 Million user data.”
The firm says that the leak included full names, email IDs, password hashes, pin, contact numbers, full addresses, date of birth, location, and IP addresses of login.
According to Cyble’s intelligence, the breach first occurred on October 14. A couple of weeks later, Cyble, a firm that usually strolls across the dark web, found a database related to BigBasket on sale on the dark web on October 30. The very next day, the cybersecurity firm validated the breach through validation of the leaked data with BigBasket users and information. Once confirmed, Cyble immediately reported the breach to BigBasket, who then swiftly took further actions. The e-commerce company has filed a case with the Cyber Crime Cell in Bengaluru.
Bigbasket said in a statement, “A few days ago, we learnt about a potential data breach at BigBasket and are evaluating the extent of the breach and authenticity of the claim in consultation with cybersecurity experts and finding immediate ways to contain it. We have also lodged a complaint with the Cyber Crime Cell in Bengaluru and intend to pursue this vigorously to bring the culprits to book.”
The online grocery company further assured that it does not store any financial details of the users such as credit and debit card numbers. However, it did admit that details like email IDs, phone numbers, order details, and addresses might have been potentially leaked during the breach. BigBasket also said that the company has a strong security framework to protect users’ data and that it will continue to “proactively engage with best-in-class information security experts to strengthen this further”.