Search This Blog

Showing posts with label BigBasket. Show all posts

Flipkart Users to Reset Passwords to Avoid Fraud: Cyber Expert

 

A data breach occurred recently at the e-commerce sites Flipkart and BigBasket. According to reports, BigBasket's latest data breach revealed the personal information of some Flipkart customers as well. Seven months after it was first discovered, the matter has resurfaced. 

According to an independent cybersecurity expert, an alleged leaked database may lead to unauthorized transactions from accounts of Flipkart customers who also used grocery platform BigBasket with the same user ID and passwords. 

In November, BigBasket was involved in a major data breach that exposed the personal information of over 2 crore users. Some users who shared the same credentials for Flipkart and BigBasket have complained that their accounts have been compromised as a result of the leak. As of now, this is just affecting Flipkart users. 

Cybercriminals are selling sets of email addresses and passwords of customers from allegedly leaked databases of BigBasket that match with accounts of e-commerce company Flipkart and Amazon, according to expert Rajashekhar Rajaharia. However, he said Amazon sends OTP for login when there is a change in the browser. 

'It seems, some people are selling Bigbasket Email: Password combinations as Flipkart data. People are using the same password for all websites. Almost all emails are matching with Bigbasket DB (database). Change your Flipkart Passwords asap,' Rajaharia tweeted. 

He also mentioned that Flipkart's accounts should be secured and posted account details being sold on Telegram. 

'Anyone with a combination of leaked email and password can easily log in from anywhere including VPN/TOR to Flipkart. Please mandatory 2FA ( two-factor authentication) for all accounts,' Rajaharia said. 

When contacted, a Flipkart spokesperson said that the company is absolutely dedicated to ensuring the safety and protection of customer data and that the company has "robust information security systems and controls in place." 

A Flipkart spokesperson told Inc42 in response to the data breach, “In addition, we run awareness campaigns through different media and social networks to raise awareness about fraudulent activities, educating consumers on best practices for a secure online experience and keeping their accounts safe from unscrupulous cyber elements.”

ShinyHunters is Leaking Data of all the Big Conglomerates

 

Following the hacking of masked credit and debit card data belonging to crores of Juspay customers, independent cybersecurity analyst Rajshekhar Rajaharia reported on January 6, 2021, that the same hacker, likely branded as 'ShinyHunters,' is now selling databases belonging to three more Indian companies on the Dark Web. 

ShinyHunters, the well-known hacker responsible for exposing the accounts of companies such as Animal Jam, Mashable, Upstox, and 123RF, among others, has returned with yet another high-profile data breach. 

The hacker has recently focused on leaking databases belonging to Indian institutions. While unconfirmed, it is thought that the hacker's extortion efforts failed, and as a result, the hacker leaks the stolen info. 

This time, ShinyHunters has leaked a database belonging to WedMeGood, a prominent Indian wedding planning website that handles everything from location selection to photographer bookings and wedding outfit arrangements. WedMeGood has a website and an app that allows couples planning weddings to find nearby vendors and get ideas and inspiration for their big day. The business is headquartered in Gurgaon and was founded in 2014 by Mehak Sagar Shahani and Anand Shahani. 

According to Hackread.com's review, the database contains 41.5 GB of data, including the city, gender, full names, phone numbers, email addresses, password hashes, booking leads, last login date, account formation date, Facebook unique ID numbers, and holiday summary for Airbnb.

JusPay, a Bengaluru-based digital payments portal, previously stated that their Secure Data Store, which houses sensitive card numbers, had not been accessed or leaked. "Thus, all our customers were secure from any kind of risk. Our priority was to inform the merchants and as a measure of abundant precaution, they were issued fresh API keys though it was later verified that even the API keys in use were safe," the company said. 

The hacker, according to Rajaharia, is the same one who leaked BigBasket info, as confirmed by cybersecurity firm Cyble. BigBasket, one of India's most popular online grocery stores, discovered that its data of over 20 million users had been compromised and was for sale on the dark web for over $40,000 in November of last year. 

"Now, the same hacker group is asking about $10,000 in Bitcoin for the BigBasket database and is also selling the three companies' databases," Rajaharia said. "There is a strong connection between all these recent data leaks, including BigBasket," he added.

BigBasket: Data Breach Leaks 20 Million User Data

 

A threat actor dropped about 20 million Big Basket user reports containing personally identifiable details and hashed passwords on a common hacking forum. 

Headquartered in Bangalore, India – Big Basket is an online food supply service. The company mainly provides its customers with food products in convenience shops, home supplies, and food. Big Basket is a famous grocery delivery service platform that enables consumers to purchase and deliver food online. 

Lately, a popular dealer of data breaches named Shiny Hunters, on the morning of 26th April, published a free database on a hacker website claiming that it has already been stolen from Big Basket. Last year during November, when the same dealer, Shiny Hunter attempted to sell the data stolen via private sales on some hacking websites, Big Basket confirmed to Bloomberg News that it had experienced a data breach. 

“There’s been a data breach and we’ve filed a case with the cybercrime police,” Big Basket CEO Hari Menon told Bloomberg News. “The investigators have asked us not to reveal any details as it might hamper the probe.” 

The entire database, which is estimated to be containing over 20 million user records, now has been published for free. It contains e-mail addresses, SHA1 hashed passwords, addresses, phone numbers, and various other details.

The forum members have claimed to have already cracked 2 million passwords by using the SHA1 algorithm. Another Member says 700k of the clients have used their accounts with the password as, 'password.' Shiny Hunters have executed several other data breaches in the past including Tokopedia, Tee Spring, Minted, Chat books, Dave, Promo, Mathway, Wattpad, and more. 

The event happened weeks after the Indian Tata Group decided to purchase Big Basket, at an increase of over $1.8 billion in the value of Indian start-ups. Approval by the Indian Regulator is currently pending in the acquisition plan. 

As Bleeping Computer has also verified that certain documents are correct, like Big Basket's personal information, consumers should be confident in keeping it safe and believing that customer data has been leaked too. It is highly recommended that all Big Basket users update their passwords immediately with the same password on Big Basket and all other pages.

Online Grocery Store BigBasket faces Data Breach of 2 Crore Users

 

E-Grocery platform BigBasket has been attacked by a breach of data with a leak of almost 2 Crore user info, cyber intelligence firm Cyble confirms.
The leading food store from Banglore admitted the data breach on Sunday. 

US-based third-party cyber intelligence firm Cyble saw BigBasket's data on sale for 40,000$ on the dark web during their routine petrols. Cyble reported on their blog that the breach probably occurred on October 14, they detected it on October 30, validated it on October 31, and informed the e-retailer on November 1.

 “In the course of our routine dark web monitoring, the research team at Cyble found the database of Big Basket for sale in a cybercrime market, being sold for over $40,000. The leak contains a database portion; with the table name ‘member_member’ The size of the SQL file is about 15 GB, containing close to 20 million user data,” Cyble reported on their blog. 

The company says they have lodged a report with the Cyber Cell and reassured that the potential data that could be stolen can include email IDs, phone numbers, order details, and addresses that they store of their customers and that they are employing the best security to snip the breach. 

The company made the following statement on the matter: 

“A few days ago, we learned about a potential data breach at Bigbasket and are evaluating the extent of the breach and authenticity of the claim in consultation with cybersecurity experts and finding immediate ways to contain it. We have also complained with the Cyber Crime Cell in Bengaluru and intend to pursue this vigorously to bring the culprits to book. 

“The only customer data that we maintain are email IDs, phone numbers, order details, and addresses so these are the details that could potentially have been accessed. We have a robust information security framework that employs best-in-class resources and technologies to manage our information. We will continue to proactively engage with best-in-class information security experts to strengthen this further,” Bigbasket said. 

 India is soon becoming a sweet target for hackers and cyber frauds, according to a report by global cybersecurity company Sophos, 82% of Indian companies were attacked in the past 12 months and only 8% of them were able to fend off the attack as compared to the global average of 24%. The numbers stand witness that companies need to upgrade their cybersecurity, in the long run, we need not focus on fixing problems after the attack but to take preventive measures to stop the attack from happening in the first place.