BigBasket Faces a Possible Data Breach; Details of users of 2 million rupees put up for sale on the dark web


Grocery e-commerce platform Bigbasket has faced a potential data breach that could have leaked details of its users of around 2 billion, according to cyber intelligence firm Cyble.

The company has filed a police report in this regard with Cyber ​​Crime Cell in Bengaluru and is verifying the claims made by cyber experts.

Cyble said that a hacker has put up data allegedly belonging to Bigbasket for around 30 lakh rupees.

“In the course of our routine monitoring of the dark web, Cyble’s research team found Big Basket’s database for sale in a cybercrime marketplace, for more than $ 40,000. The leak contains a part of the database; with table name ‘member_member’. The size of the SQL file is approximately 15 GB and contains about 20 million user data, “Cyble said on his blog.

It added that the data released includes names, email IDs, password hashes, contact numbers (mobile and phone), addresses, date of birth, location, and login IP addresses, among many others.

While Cyble has mentioned “passwords”, the company uses a one-time password sent via SMS that keeps changing every time a user logs in.

“A few days ago, we learned of a possible data breach at Bigbasket and we are evaluating the extent of the breach and the authenticity of the claim in consultation with cybersecurity experts and finding immediate ways to contain it. We have also filed a complaint with the Cyber ​​Crimes Cell in Bengaluru and we intend to vigorously pursue this to bring the culprits to justice, ”Bigbasket said in a statement.

The company said that the privacy and confidentiality of customers is a priority and that it does not store any financial data, including credit card numbers, etc., and trusts that this financial data is safe.

“The only customer data that we keep is email identifications, phone numbers, order details and addresses, so these are the details that could have been accessed. We have a solid information security framework that uses the best resources and technologies to manage our information. We will continue to proactively engage with the best information security experts to further strengthen this, “said Bigbasket.

The Bengaluru-based company is funded by the Alibaba Group, Mirae Asset-Naver Asia Growth Fund and the UK government-owned CDC group.

Cyble claimed that the infringement occurred on October 30, 2020 and has already informed Bigbasket’s management about it.

The cyber intelligence firm said on October 31, Cyble validated the gap through “validation of leaked data with BigBasket users / information,” and on November 1, “Cyble disclosed the gap to Bigbasket management.” .

.