In a worrying development, a MobiKwik data breach has left 99 million phone passwords, addresses and other relevant data vulnerable. The MobiKwik servers which held the crucial KYC data of several hundreds of thousands of users were hacked and as much as 8.2 terabytes of data has been hacked.

The alleged data breach was first revealed on Twitter earlier on Monday by French hacker and security researcher Elliot Anderson. Anderson shared a screenshot on Twitter in which a webpage was shown saying 3.5 million people’s KYC details were hacked. This includes information like mobile phone numbers, emails, passwords, addresses, bank account details, etc.

Anderson also posted another Tweet saying the hack was known for a long time and Indian cybersecurity expert Rajshekhar Rajaharia had spotted the hacked databases and had come with the information of the same in first week of March 2021.

According to Indiatimes, the white-hat hacker that has the access to the MobiKwik users’ data is looking to sell the entire database for 1.5 bitcoins. The amount can be roughly converted to $84,000 or approximately Rs. 61 lakhs. Anderson also claims that he will pulldown the portal that was shared on the screenshot after the buyer pays him 1.5 bitcoins for the access.

The offered data includes 500 MySQL databases that are approximately of 350 GBs. The breach also gave the hacker access to some jaw-dropping information including 40 million cards that have the 10-digit numbers with its month, year and CVV. There are also databases of 7.5 TB that have 3 million merchant KYC data. This data includes personal information such as Aadhaar card numbers, passport details, PAN card numbers as well as images provided by users who wanted to avail loan from the platform.

After the alleged revelation, MobiKwik declined the data breach and said, “Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure.”

The data breach comes at a time where the company had announced that it has been eying to make itself public by launching an IPO.

Although data-breaches are like a needle in a giant hay, they have plagued multiple Indian IT companies in the recent times. In 2020, EdTech startup WhiteHat Jr, that had been anyway dealing with a lot of controversy regarding defamation, reported that due to a bug in their system, data of 2.8 lakh students was vulnerable. News media platform Quint had reached out to a security researcher who had said, “I found that the personal data of over 2.80 lakh students including names of their parents were lying exposed due to a vulnerability on the company’s server-side.”

Earlier in July, 2020, Bengaluru-based delivery services startup Dunzo also confirmed that it had suffered a data breach in which the personal information of users such as their mobile numbers, email addresses, last login dates, last location, was all hacked. The database which was hacked also contained information related to advertising such as advertising ID, device information and last known IP. Although the exact number of the data breach was never revealed, there were reports that claimed that over 34,65,259 user accounts were hacked.

Popular EdTech startup Unacademy also suffered a major data breach and if reports are to believed, data of 20 million subscribers was exposed. Cyble, a Cybersecurity firm informed news media outlets that the hacker had started selling the database which contained database of 20 million students for the sum of $2,000.

Local service search platform Justdial also suffered from a data breach in 2019 where personal details of over 100 million users were compromised. Rajshekhar Rajaharia, who is responsible for reporting the recent MobiKwik data breach said that the company was never able to fix the breach for a long time.