The BigBasket data breach that made headlines towards the end of 2020 clearly did not see the end of the day as yet. After initially hosting the breached customer data for sale for Rs 30 lakh following the breach about six months ago, hacker collective ShinyHunters, who claimed responsibility behind the attack, have now posted the data in a public post on a dark web data marketplace. Details about the data that was posted on the forum was revealed by noted cyber security advocate Alon Gal on Twitter, including screenshots as proof of the data post and numbers for reference.
News18, through independent cyber security researcher Sourajeet Majumder, could personally verify and confirm that the data has indeed been posted on the dark web data forum by ShinyHunters. The post contains a 3.25GB database that includes a varying degree of personal information belonging to over 2 crore individuals. The database was posted on the dark web forum on Sunday, April 25, and remains live at the time of writing this. The data was previously offered for sale by ShinyHunters, basis which BigBasket had in the interim filed a first information report with a cyber police department in India, after acknowledging the breach.
The database file that has now been made public has a number of more sensitive identifiers, alongside usual suspects such as phone numbers. These include residential addresses, dates of birth and email addresses, among others – enough for malicious threat actors to conduct identity theft, ransomware attacks, stalkerware and spyware cyber espionage acts, and much more. The revelation of user addresses make matters increasingly murky – such database exploitations can lead to grave circumstances that go beyond financial loss or menial scams. News18 has additionally reached out to BigBasket for a statement on the matter, a response to which is presently awaited.
It is not yet clear as to how BigBasket aims to react to this, but given that the data has been made public, it isn’t clear as to how much there is for the company to do except for urging its users to update their credentials and also employ better cyber security standards in its servers. Users whose data may have been breached as a result of this cyber attack may check for their email addresses, passwords and phone numbers on databases such as Have I Been Pwned, for more clarity on steps they may need to take.