The leaked information accommodates info for 3.25 lakh customers, which is the precise variety of customers that BuyUCoin claims to have
The leaked information is contained in a MongoDB dump, which is a well-liked database for contemporary apps
The leaked information accommodates delicate info equivalent to customers’ checking account numbers, IFSC codes, and the kind of financial institution accounts
Extra Indian casualties of the notorious hacking group ShinyHunters have emerged. The group has allegedly leaked a 6 GB information dump of Indian crypto change BuyUCoin on the darkish internet, the place it’s out there for obtain free of charge. The leaked information accommodates info for 3.25 lakh customers, rather less than the variety of customers that BuyUCoin claims to have served.
In line with cybersecurity researcher Rajshekhar Rajaharia, who first alerted Inc42 of the event, the info is contained in a MongoDB database, which is utilized by many trendy apps. The leaked database accommodates delicate info equivalent to customers’ names, telephone numbers, e mail addresses, PAN numbers, in addition to financial institution particulars equivalent to account quantity, IFSC code and the kind of account. It’s price noting that BuyUCoin collects such info from customers who make a deposit on the change platform to buy cryptocurrencies.
Screenshots of the leaked database additionally reveal the BuyUCoin referral codes for some customers, together with particulars of their buying and selling actions on the crypto change. In line with Rajaharia, who can also be an affected person, information until September 2020 is contained within the leaked database.
Whereas names, telephone numbers and e mail addresses are largely used for large-scale phishing campaigns, the truth that sure financial institution particulars of customers have additionally been leaked from BuyUCoin is of grave concern.
Over the previous few months, ShinyHunters has leaked person information from varied Indian corporations equivalent to Juspay, Clickindia, Chqbook and Bigbasket amongst others. As with these different situations, the BuyUCoin information additionally seems to have been leaked by a breach of the corporate’s server, because the leaked information is within the type of a dump.
Responding to Inc42‘s queries, BuyUCoin claimed no information breach had taken place. “Within the mid of 2020, whereas conducting a routine testing train with dummy information, we confronted a ‘Low Influence Safety Incident’ wherein non-sensitive, dummy information of solely 200 entries was impacted. We want to make clear that not even a single buyer was affected through the incident,” learn the corporate assertion.
Nevertheless, as came upon by Inc42, this declare will not be true, because the real person information for cybersecurity researcher Rajaharia was additionally included within the leaked database. The authenticity of the leaked information for different customers couldn’t be ascertained.
Based in 2016 by Atulya Bhatt, Devesh Aggrawal and Shivam Thakral, BuyUCoin is a New Delhi-based crypto change which claims to have processed digital forex trades price $500 Mn. The platform helps greater than 50 main cryptocurrencies, together with Bitcoin, Ethereum and Ripple.
In March final 12 months, BuyUCoin forayed into the worldwide crypto market when it was granted the crypto commerce and pockets license in Estonia. That very same month, the corporate’s CEO Shivam Thakral introduced that BuyUCoin would combine with Indian digital funds pockets Mobikwik, with the latter being supplied as a fee choice for customers on the crypto change.
India’s Poor Cybersecurity Monitor Report
Earlier this month, Indian funds processor Juspay, which powers the fee gateways of main corporations equivalent to Amazon, Uber and Ola in India, noticed information from 10 Cr digital funds transactions leaked in one of many greatest information breaches to have an effect on an Indian firm.
These information breaches have come to mild, simply as 2020 has come to an in depth, a 12 months when India witnessed a fast rise in phishing and social engineering, ransomware, distributed denial of service or DDoS, and several other different kinds of cyberattacks on its corporations. In line with the Ministry of Electronics and Info Know-how (MeitY), Indian residents, business and authorized entities confronted 7 Lakh cyberattacks until August 2020 alone, practically double the variety of cyberattacks in 2019 — 3.94 Lakh.
On-line grocery platform BigBasket, Google-backed hyperlocal supply platform Dunzo, restaurant chain proprietor Haldirams, edtech platform Edureka, on-line journey market RailYatri and even the private web site of Prime Minister Narendra Modi suffered information breaches in 2020, with the info on a few of these web sites being subsequently leaked on the darkish internet the place it was out there for buy.
Cybersecurity consultants Inc42 spoke to, had been of the opinion that the fast rise in cyberattacks on Indian corporations might be attributed to the shift to make money working from home (WFH) for many corporations amid the Covid-19 pandemic. Indian’s geopolitical tensions with its neighbours China and Pakistan within the 12 months passed by may be in charge for the spate of cyberattacks.
Replace – January 21, 2021, 8:15 pm: The sooner model of the story incorrectly talked about the variety of affected customers as 3.5 lakh. The identical has been corrected to three.25 lakh.
BuyUCoin’s response was added.