The pandemic has given a lift to e-commerce platforms. Due to the social distancing norms, travel restrictions, and curfews, people all over the world found themselves more occupied with digital browsing. And this sparked an online shopping spree, changing shopping habits from physical trolleys to smart carts. Using this trend to their advantage, threat actors targeted several online retail platforms throughout 2020. One such platform, which suffered a massive data breach last year, was BigBasket – an Indian online grocery delivery service. But it seems cybercriminals do not want to let the company go just yet!
Recently, a database with data of BigBasket’s 20 million customers was leaked on a darknet forum. It is likely that the current data leak is linked to its October 30, 2020, data breach, which included users’ full names, contact details, email IDs, password hashes (potentially hashed OTPs), pin, full addresses, birth dates, locations, and IP addresses of logins among many others.
Infamous threat actor “ShinyHunters” just leaked the database of “BigBasket, a famous Indian 🇮🇳 online grocery delivery service. (@bigbasket_com)
20,000,000+ clients affected and information such as emails, names, hashed passwords, birthdates and phone numbers were leaked. pic.twitter.com/tD5TMxNkH7
— Alon Gal (Under the Breach) (@UnderTheBreach) April 25, 2021
According to Twitter posts of both Alon Gal, Co-Founder & CTO @ cybercrime intelligence firm Hudson Rock, and independent security researcher Rajshekhar Rajaharia, the infamous threat actor group ShinyHunters leaked the database on the dark web, making it available to anyone to download.
We had eliminated all hashed passwords from our system and moved to a secure OTP-based authentication mechanism quite some time back. – BigBasket Statement
Dear #BigBasket, People use same passwords on all websites. It’s your responsibility to alert users#infoSec #dataprotection pic.twitter.com/pOUs1tYTYx
— Rajshekhar Rajaharia (@rajaharia) April 26, 2021
What’s the Impact?
Attackers claimed to have decrypted millions of passwords linked to BigBasket customers, which could put the affected customers at risk as threat actors might obtain access to their other online accounts using the decrypted passwords and email addresses.
“Beware!! If you are using #BigBasket, change your passwords immediately on BigBasket and the remaining sites. Groups on the dark web have claimed to decrypt millions of the listed passwords. ShinyHunters posted this alleged database for free,” said Rajaharia.
Commenting on the hackers’ post, BigBasket said, “This article / social media post refers to an alleged data breach in Nov-2020 and not something that has happened recently. The reason we know it’s not recent is that the article /social media post mentions the release of hashed passwords. We had eliminated all hashed passwords from our system and moved to a secure OTP-based authentication mechanism quite sometime back. Also, our site does not collect or store any sensitive personal data of customers like credit card details. So, customer data continues to be safe, and no further action needs to be taken by customers.”
Several incidents have been reported in recent times where malicious actors were found selling stolen information on the darknet markets, hence the FBI has warned consumers to be vigilant while shopping online. In a security alert, the FBI stated that the attackers are targeting shoppers by redirecting them to fraudulent websites via social media platforms and search engines.