Cyber security researcher Rajshekhar Rajaharia claimed on Wednesday that hacker possibly known as ShinyHunters is selling database belonging to three Indian companies — ClickIndia, ChqBook and WedMeGood — on Dark Web.
Rajshekhar Rajaharia earlier revealed the hacking of masked credit and debit card data of crores of Juspay users.
E-marketplace ClickIndia, fintech startup for small business owners ChqBook and wedding planning website WedMeGood will be under pressure to enhance cyber security infrastructure.
Nearly 80 lakh users of ClickIndia (name, email, mobile and other personal details), 10 lakh users of ChqBook (name, email, mobile, full address and other personal details) and 13 lakh users of WedMeGood (name, email, hashed password, other sensitive personal information), Rajshekhar Rajaharia told IANS.
These three companies have also not allegedly told the users about the data breach, claimed the security researcher.
BleepingComputer website said that a data breach broker is selling the allegedly stolen user records for 26 companies on a hacker forum.
ChqBook denied the attack while the other two companies were yet to react to the report.
Sonit Jain, CEO of GajShield Infotech, said such incidents, once confirmed irrespective of data sensitivity, leaves a negative impression over the digital payment platforms.
“Simple data like email ID and phone number which may not look sensitive can turn out to be lethal means of financial fraud at personal level, if fallen in wrong hands.”
Bengaluru-based digital payments gateway JusPay said earlier that the company verified that their Secure Data Store, which hosts the confidential card numbers, was not accessed or compromised.
According to Rajaharia, the hacker is the same who leaked BigBasket data, previously reported by the cybersecurity firm Cyble.
In November last year, one of India’s popular online grocery stores BigBasket, found that its data of over 20 million users had been hacked and were on sale on the dark web for over $40,000.
The same hacker group is asking about $10,000 in Bitcoin for the BigBasket database and is also selling the three companies’ databases, Rajaharia said.
US-based third-party cyber intelligence firm Cyble claimed in its official blog that though the alleged breach occurred on October 14, it detected it on October 30, validated it on October 31 and informed BigBasket on November 1.