After social media sites, it appears that the data of users of even grocery delivering and shopping websites is at risk, as a reputed hacker has allegedly leaked personal data of a whopping 20 million (approximate) users of popular grocery platform BigBasket, including passwords, on a well-known hacking platform.
The data leaked comprises of personal information of the users, along with passwords which have been hashed by making use of the SHA1 algorithm (which, ironically, was developed by the National Security Agency of the US), phone numbers, and addresses, among other information, including dates of birth, and even interactions and chats with the customer service of the company. As per reports, the members of the forum have already succeeded at decoding around 2 million passwords from the database. What’s interesting is that one particular member has claimed that around 700 thousand users on BigBasket used the word “password” as their password on the site, making it particularly easy to crack them.
The platform is well reputed in India for allowing users to purchase groceries and get it delivered to their homes. The database of the users’ personal details was leaked on a free hacker forum, by a well known data breach supplier, who goes by the name ShinyHunters, claiming to have stolen it from BigBasket.
We have contacted BigBasket, and will add their response to this piece when they revert back to us.
This breach comes barely months after the same company also saw another data breach back in November last year, which too, was allegedly orchestrated by the same hacker, that is, ShinyHunters. At that time, the hacker had apparently tried to sell the information on a private platform, demanding as much as $40,000 for supplying it, as opposed to releasing it for free on a public site this time around. This seems to be somewhat of a pattern for ShinyHunters (who is most well known for having been a part of data breaches at Teespring, Tokopedia, Mathway, Wattpad, Dave, Minted, Promo, and Chatbooks), as all previous cases of data breach by the hacker have met the same fate, being released for free online after first being put up for private sales in return of money.
This breach comes weeks after the company signed a deal with Indian conglomerate Tata Group, wherein the latter had agreed to buy a majority stake in BigBasket. The deal entitles Tata Group to take over more than 60% of the stakes at the startup, increasing its value to reach somewhere between $1.8 and $2 billion. This deal will result in the company’s previous stakeholders, including Chinese giant Alibaba group, who previously owned 30% of the stakes, to be removed from the list of investors which hold stakes in the startup.
BigBasket has already raised over $750 million through a previous deal with Tata. The take over proposal is currently pending approval by Indian regulators, and consequently, the two companies have opted to keep the details of the deal under wraps.