Popular Indian mobile payments service MobiKwik on Monday came under fire after 8.2 terabytes (TB) of data belonging to millions of its users began circulating on the dark web in the aftermath of a major data breach that came to light earlier this month.
The leaked data includes sensitive personal information such as:
- customer names,
- hashed passwords,
- email addresses,
- residential addresses,
- GPS locations,
- list of installed apps,
- partially-masked credit card numbers,
- connected bank accounts and associated account numbers, and
- know your customer (KYC) documents of 3.5 million users.
Even worse, the leak also shows that MobiKwik does not delete the card information from its servers even after a user has removed them, in what’s likely a breach of government regulations.
New guidelines issued by India’s apex banking institution, the Reserve Bank of India, prohibit online merchants, e-commerce websites, and payment aggregators from storing card details of a customer online. The rules are set to come into effect starting July 2021.
As of July 2020, MobiKwik serves 120 million users and 3 million retailers across the country.
The data leak site, which is accessible via Tor browser and boasts…