Maybe it was your fault? • The Register


Indian payment app maker MobiKwik has denied its security has been breached, saying that if it’s true, as has been claimed, that its customers’ information has appeared on the dark web, then some other platform was totally responsible for that.

“Some users have reported that their data is visible on the dark web,” reads a message from the company, dated March 30.

“While we are investigating this, it is entirely possible that any user could have uploaded her or his information on multiple platforms. Hence, it is incorrect to suggest that the data available on the dark web has been accessed from MobiKwik or any identified source.”

Claims that customer data had been siphoned from MobiKwik’s systems by a miscreant emerged in early March in a tweet from security researcher Rajshekhar Rajaharia:

A day later, MobiKwik vigorously disputed the allegation:

Amid its denials and threats of legal action, MobiKwik said it investigated the possibility its systems had been compromised and customer records exfiltrated and leaked. “When this matter was first reported last month, the company undertook a thorough investigation with the help of external security experts and did not find any evidence of a breach,” the biz wrote.

The company has declared itself “confident that security protocols to store sensitive data are robust and have not been breached.”

Indian sleeper train

Indian Railways suffers unspecified security ‘breaches in various IT applications’


But not so confident that it won’t dig further. “Considering the seriousness of the allegations, and by way of abundant caution, [the company] will get a third party to conduct a forensic data security audit,” it wrote.

MobiKwik customers say a sample of the firm’s data remains online and for sale. It is said to be accessible via Tor though only intermittently as whatever server or infrastructure that hosts the haul struggles to meet demand from the curious and/or nefarious, or perhaps is only up and running at certain times.

Researchers and customers say the leaked data includes card numbers, the Know Your Customer number that Indian financial institutions use to identify investors, and possibly also India’s Aadhaar national ID number.

Troy Hunt, creator of, slammed MobiKwik’s handling of the alleged breach. “From what I’ve seen so far, they’re going all ‘Iraqi Information Minister’ on this,” he tweeted, after calling out the Indian company’s response as known-worst practice… ®

You May Also Like…