BigBasket data of over 2 crore users leaked, now on sale in Dark Web

In a massive data breach, online grocery store BigBasket has allegedly leaked the data of 2 crore users on the dark web. According to cyber intelligence firm Cyble, BigBasket has leaked sensitive data such as full names, email IDs, password hashes, contact numbers, addresses, and more on the dark web. Adding to the woes of BigBasket, a hacker has put the data on sale for around Rs 30 lakh.

“In the course of our routine Dark web monitoring, the Research team at Cyble found the database of Big Basket for sale in a cyber-crime market, being sold for over $40,000. The leak contains a database portion; with the table name ‘member_member’. The size of the SQL file is ~ 15 GB, containing close to 20 Million user data. More specifically, this includes full names, email IDs, password hashes (potentially hashed OTPs), pin, contact numbers (mobile + phone), full addresses, date of birth, location, and IP addresses of login among many others,” Cyble said in the blog post.

Cyble has revealed that the names and addresses of people have been exposed on the dark web but the company has claimed that the financial data of the users are safe. For online shopping, you need to share the debit or credit card details with the e-commerce platform. The site also saves the details to make it easier for you to place future orders. BigBasket has also filed a complaint at the cyber cell in Bengaluru.

Commenting on the data breach, BigBasket has said it a statement, “A few days ago, we learned about a potential data breach at BigBasket and are evaluating the extent of the breach and authenticity of the claim in consultation with cybersecurity experts and finding immediate ways to contain it. We have also lodged a complaint with the Cyber Crime Cell in Bengaluru and intend to pursue this vigorously to bring the culprits to book.”

“The only customer data that we maintain are email IDs, phone numbers, order details, and addresses so these are the details that could potentially have been accessed. We have a robust information security framework that employs best-in-class resources and technologies to manage our information. We will continue to proactively engage with best-in-class information security experts to strengthen this further,” the statement further read. Cyble has shared the exact timeline of the data breach in its blog. The report says that the breach was first detected on October 31 and November 1, Cyble informed BigBasket about the possible breach.