Personal Data of 20 Million Users of BigBasket Leaked on Dark Web

This leak includes names, email IDs, password hashes, contact details, location, and even IP addresses of the users.

Tech and Auto
2 min read
<div class="paragraphs"><p>Data of more than 20 million customers of BigBasket has been allegedly leaked on dark web.</p></div>

Data of more than 20 million customers of BigBasket has been allegedly leaked on Dark web. The database was first stolen in November 2020. The online grocery delivery platform had earlier confirmed that its platform was hacked.

A cyberespionage group dubbed as 'ShinyHunters' published this massive data on a dark web forum. This database has been made publicly available for anyone to download.

This dataset includes names, email IDs, password hashes, contact numbers, addresses, date of birth, location, and even IP addresses of the users affected.

The Quint, through cyber security researcher Sourajeet Majumder, could personally verify and confirm that the data has been posted on the Dark web data forum by ShinyHunters. The data posted includes personal information belonging to 2 crore of its users amounting to 3.25 GB.

What Happened in 2020?

In 2020, it was reported that 'ShinyHunters', a notorious hacker group, had allegedly breached BigBasket – an Indian online grocery delivery service and had put up the data for sale on the Dark web.

Later, BigBasket accepted the breach and filed an FIR to verify cyber intelligence group Cyble's claim that the grocery delivery platform had suffered a massive breach.

What Happened Now?

The same hacker group has publicly dumped the data of 21 million users of BigBasket on a hacking forum (RaidForums) this Sunday.

The 3.25 GB file has been made open for all to download and it includes the user's name, residence address, IP address, email, phone number and SHA-1 hashed passwords of their BigBasket accounts besides other details.

However, the data does not hold any financial information of BigBasket's users.

“In the leaked dataset, I was also able to find phone numbers and other details of social media influencers, YouTubers, journalists who were registered on BigBasket. Even my own info was a part of the dataset.”
Sourajeet Majumder, Cyber Security Researcher

What Can You Do?

Since the company has confirmed there has been a data breach, you can always request them to tell you what kind of data has been compromised. A company is obliged to provide you with that information since it's your data.

"Since the scale of this data breach is quite alarming, BigBasket must look into this asap and notify it's users about this breach so that they can stay alert from any scam calls or phishing campaigns. User's too must change the passwords of their Big Basket account to stay on the safer side,” Majumder told The Quint.

BigBasket Responds

The Quint reached out to BigBasket for a comment on the alleged data breach. Here's what the company said:

“This article/social media post refers to an alleged data breach in Nov-2020 and not something that has happened recently. The reason we know it’s not recent is that the article/social media post mentions the release of hashed passwords. We had eliminated all hashed passwords from our system and moved to a secure OTP-based authentication mechanism quite some time back. Also, our site does not collect or store any sensitive personal data of customers like credit card details. So customer data continues to be safe and no further action needs to be taken by customers.”

(The Quint is available on Telegram. For handpicked stories every day, subscribe to us on Telegram)

Stay Updated

Subscribe To Our Daily Newsletter And Get News Delivered Straight To Your Inbox.

Join over 120,000 subscribers!