BigBasket Data Allegedly Leaked on Dark Web, Database Claimed to Include Details of Over 20 Million s 2dm

BigBasket database of over 20 million customers has allegedly been leaked on the dark Web, months after the online grocery delivery platform confirmed a data breach. The alleged database includes the email addresses, phone numbers, and hashed s of the affected customers. The data also allegedly carries physical addresses and date of birth of BigBasket s. Although the database that is available for free access on the dark Web includes s in an encrypted form, another hacker has claimed to have decrypted some of the leaked s.

The alleged BigBasket database has been put on the dark Web by a hacker group infamously known as ShinyHunters. It includes details such as the email addresses, names, date of birth, and phone numbers.

 

Cyber-security researcher Rajshekhar Rajaharia told Gadgets 360 that the leaked database is associated with the breach that BigBasket itself confirmed in November last year.

Update April 26, 6.56pm: BigBasket has responded to Gadgets 360 to confirm that this is indeed the November leak, and the company also highlighted that it has made changes to its systems to eliminate all hashed s, moving to an OTP-based mechanism instead, as a security measure. BigBasket's full statement is included at the end of this article.

“A few days ago, we learnt about a potential data breach at BigBasket and are evaluating the extent of the breach and authenticity of the claim in consultation with cybersecurity experts and finding immediate ways to contain it,” the company had said while confirming the data breach that was made public by cybersecurity intelligence firm Cyble.

ShinyHunters made the alleged BigBasket database available for on the dark Web over the weekend. It included hashed s of the affected customers. However, some s in plain text are now also put on sale on the dark Web.

“Another hacker is claiming to have decrypted millions of s associated with BigBasket,” said Rajaharia. “This could lead to a serious problem for the affected customers as bad actors would gain access to their personal Web s using the decrypted s and leaked email addresses.”

Meanwhile, the website Have I Been Pwned? — that informs s on whether their data has been compromised by any recent breaches — has sent an email to notify some affected customers about the data leak.

Founded in 2011, BigBasket is backed by China's Tata Group that in February agreed to acquire a majority stake in the company.

Update: Full statement from BigBasket:

This article / social media post refers to an alleged data breach in Nov-2020 and not something that has happened recently. The reason we know it's not recent is that the article /social media post mentions the release of hashed s. We had eliminated all hashed s from our system and moved to a secure OTP-based authentication mechanism quite some time back. Also, our site does not collect or store any sensitive personal data of customers like credit card details. So customer data continues to be safe and no further action needs to be taken by customers.

---

Why did LG give up on its smartphone business? We discussed this on Orbital, the Gadgets 360 podcast. Later (starting at 22:00), we talk about the new co-op RPG shooter Outriders. Orbital is available on Apple Podcasts, Google Podcasts, Spotify, and wherever you get your podcasts.