New Delhi: In yet another data breach involving an Indian firm, sensitive data of nearly 3.25 lakh users of Delhi-NCR based global cryptocurrency exchange and wallet, BuyUcoin, has allegedly been exposed on the Dark Web.
The data leaked included names, e-mails, mobile numbers, encrypted passwords, user wallet details, order details, bank details, KYC details (PAN number, passport numbers) and deposit history.
According to independent cybersecurity researcher Rajshekhar Rajaharia, the 6GB file on MongoDB database contains three backup files containing BuyUcoin data.
“This is a serious hack as key financial, banking and KYC details have been leaked on the Dark Web,” Rajaharia told IANS and shared some screenshots of the leaked data.
Researchers at cybersecurity firm Kela Research and Strategy Ltd first discovered the stolen data, linked on the same forum, from Wongnai Media Co Ltd, Tuned Global Pvt Ltd, BuyUcoin, Wappalyzer, Teespring Inc and Bonobos.com, which looks the handiwork of infamous hacking group ShinyHunters.
“Over this past summer, ShinyHunters was seen publishing leaked data for free, exposing millions of personal records from all over the world,” Victoria Kivilevich, threat intelligence analyst at Kela Research, told SiliconANGLE.
“We have seen collaborators of Shiny Hunters selling and leaking other dumps in recent months.”
In a statement shared with IANS, BuyUcoin said it faced a ‘Low Impact Security Incident’ in mid-2020 in which non-sensitive, dummy data of only 200 entries was impacted.
“We would like to clarify that not even a single customer was affected during the incident. We would like to assure our customers that all the transactions on our platform take place in a highly encrypted environment,” the company claimed.
Founded in July 2016, BuyUcoin is a crypto wallet and exchange platform where merchants and consumers can transact with digital assets like Bitcoin, ethereum, ripple etc.
Based out of Delhi-NCR, the company claims it has over 3.5 lakh customers and has helped them trade in over $500 million to date.
We are on a mission “to bring cryptocurrencies in a million Indian pockets,” the company says on its website.
Meanwhile, ShinyHunters has also leaked 1.9 million user records stolen from free online photo editing application Pixlr.
According to Rajaharia, the hacker is the same who earlier leaked BigBasket and JusPay data in India.
In November last year, one of India’s popular online grocery stores BigBasket found that its data of over 20 million users had been hacked and were on sale on the dark web for over $40,000.
“Now, the same hacker group is asking about $10,000 in Bitcoin for the BigBasket database and is also selling the three companies’ databases,” Rajaharia said.
“There is a strong connection between all these recent data leaks, including BigBasket,” he added.
Earlier this month, Bengaluru-based digital payments gateway JusPay said that about 3.5 crore records with masked card data and card fingerprint were compromised by the hacker.
Rajaharia also disclosed that three Indian companies — e-marketplace ClickIndia, fintech startup for small business owners ChqBook and wedding planning website WedMeGood — were also hacked possibly by the same hacker.
“Nearly 80 lakh users of ClickIndia (name, email, mobile and other personal details), 10 lakh users of ChqBook (name, email, mobile, full address and other personal details) and 13 lakh users of WedMeGood (name, email, hashed password, other sensitive personal information),” Rajaharia had revealed.
