A hacker going by the name ‘Shiny Hunters’ has leaked approximately 20 million BigBasket user records containing detailed personal information (which include email ids, mobile numbers, date of birth and home addresses) and hashed passwords on a popular hacking forum. The said database ( 15 gb file in SQL format) has been posted for free and is available for anyone to download. BigBasket is an Indian online grocery delivery service that allows people to shop online for food and deliver it to their homes.
Several forum members also replied on the thread in the cybercrime forum, stating that they had decoded millions of hashed passwords already and had put them up for sale.
Alon Gal, Co-founder and CTO at Hudson Rock, a cybercrime intelligence firm, who also goes by the handle @UnderTheBreach on Twitter, tweeted that the hashing used for passwords is not secure, and the passwords are essentially plain text.
The same notorious cyber criminal had also leaked the Upstox database earlier this month
and later suspended the download links citing that Upstox had paid the ransom. However, 2500 KYC (know your customer) illustrations are still accessible from that database.
Cyber-security researcher Rajshekhar Rajaharia explained to Moneylife that today’s leaked database is associated with the data breach that BigBasket itself confirmed in November last year.
In November 2020, BigBasket had confirmed that they had suffered a data breach after Shiny Hunters had previously tried to sell the stolen data at 15 paisa per user record or Rs 30 lakh for the entire database.
“The privacy and confidentiality of our customers are our priority and we do not store any financial data, including credit card numbers. And are confident that this financial data is secure,” BigBasket had said in a statement then. BigBasket CEO Hari Menon had even said that a case had been filed with the cybercrime police. However, they were asked not to reveal any details.
Meanwhile, the website Have I Been Pwned?
— that informs users on whether their data has been compromised by any recent breaches — has sent an email to notify some affected customers about the data leak.
In case you have signed up with BigBasket, we would advise you to change your password, as well as disable all online payment options associated with your BigBasket account right away.
If you have used the same user name / email address password combination at any other site, please change the password there too. By changing your password, you can ensure that no one else is able to access any more account details than what might have already leaked in the breach.
A password manager is recommended to help you manage the unique passwords you use at different sites.