BigBasket database of over 20 million customers has allegedly been leaked on the dark Web, months after the online grocery delivery platform confirmed a data breach. The alleged database includes the email addresses, phone numbers, and hashed passwords of the affected customers. The data also allegedly carries physical addresses and date of birth of BigBasket users. Although the database that is available for free access on the dark Web includes user passwords in an encrypted form, another hacker has claimed to have decrypted some of the leaked passwords.
The alleged BigBasket database has been put on the dark Web by a hacker group infamously known as ShinyHunters. It includes details such as the email addresses, names, date of birth, and phone numbers.
Infamous threat actor “ShinyHunters” just leaked the database of “BigBasket, a famous Indian 🇮🇳 online grocery delivery service. (@bigbasket_com)
20,000,000+ clients affected and information such as emails, names, hashed passwords, birthdates and phone numbers were leaked. pic.twitter.com/tD5TMxNkH7
— Alon Gal (Under the Breach) (@UnderTheBreach) April 25, 2021
Cyber-security researcher Rajshekhar Rajaharia told Gadgets 360 that the leaked database is associated with the breach that BigBasket itself confirmed in November last year.
“A few days ago, we learnt about a potential data breach at BigBasket and are evaluating the extent of the breach and authenticity of the claim in consultation with cybersecurity experts and finding immediate ways to contain it,” the company had said while confirming the data breach that was made public by cybersecurity intelligence firm Cyble.
ShinyHunters made the alleged BigBasket database available for download on the dark Web over the weekend. It included hashed passwords of the affected customers. However, some passwords in plain text are now also put on sale on the dark Web.
“Another hacker is claiming to have decrypted millions of passwords associated with BigBasket,” said Rajaharia. “This could lead to a serious problem for the affected customers as bad actors would gain access to their personal Web accounts using the decrypted passwords and leaked email addresses.”
Gadgets 360 has reached out to BigBasket for a comment on the matter. This report will be updated when we hear back.
Meanwhile, the website Have I Been Pwned? — that informs users on whether their data has been compromised by any recent breaches — has sent an email to notify some affected customers about the data leak.
Founded in 2011, BigBasket is backed by China’s Alibaba and is one of the leading platforms for delivering groceries online. The pandemic helped the company expand its business and even attract conglomerate Tata Group that in February agreed to acquire a majority stake in the company.
Why did LG give up on its smartphone business? We discussed this on Orbital, the Gadgets 360 podcast. Later (starting at 22:00), we talk about the new co-op RPG shooter Outriders. Orbital is available on Apple Podcasts, Google Podcasts, Spotify, and wherever you get your podcasts.