Independent cybersecurity researchers have claimed that a database containing sensitive details of 35 lakh users of fintech start-up MobiKwik was up for sale online on a hacker forum on March 29. However, the digital wallet and payments company denied the breach.

A Moneycontrol report quoted a company spokesperson as saying: “Some media-crazed so-called security researchers have repeatedly attempted to present concocted files wasting precious time of our organization as well as members of the media. We thoroughly investigated and did not find any security lapses. Our user and company data is completely safe and secure.”

The Moneycontrol adds that the data leak includes 36,099,759 files spread over 8.2 TB. It has KYC details, addresses, email IDs, bank account numbers, credit card details, phone numbers and Aadhaar card numbers of MobiKwik customers.

Rajshekhar Rajaharia, a security researcher, had first reported about the leak in February this year. He has tweeted then: “Again!! 11 Crore Indian Cardholder's Cards Data Including personal details & KYC soft copy(PAN, Aadhar etc) allegedly leaked from a company's Server in India. 6 TB KYC Data and 350GB compressed mysql dump. (sic)”

Again!! 11 Crore Indian Cardholder's Cards Data Including personal details & KYC soft copy(PAN, Aadhar etc) allegedly leaked from a company's Server in India. 6 TB KYC Data and 350GB compressed mysql dump.@RBI @IndianCERT #InfoSec #dataprotection #Finance pic.twitter.com/yjc7davH3k

— Rajshekhar Rajaharia (@rajaharia) February 26, 2021A day later, in another tweet, he named MobiKwik and said that the company had removed an old post about a previous data breach from 2010. His tweet read: “As a customer of @MobiKwik It is my right to ask you, why you deleted you blog post of previous unauthorized server access(in 2010) after my tweet. (sic)”

As a customer of @MobiKwik It is my right to ask you, why you deleted you blog post of previous unauthorized server access(in 2010) after my tweet. I think it's a big controversy now.. what was the need of this step. Hiding things is not a solution. @IndianCERT @RBI #InfoSce pic.twitter.com/gmFhkA3j0D

— Rajshekhar Rajaharia (@rajaharia) February 27, 2021

In another tweet, French hacker Robert Baptiste, who goes by the pseudonym Elliot Alderson, posted a screenshot of the leaked data on Monday (March 29) and said: “Probably the largest KYC data leak in history. Congrats Mobikwik... (sic)”

Probably the largest KYC data leak in history. Congrats Mobikwik... pic.twitter.com/qQFgIKloA8

— Elliot Alderson (@fs0c131y) March 29, 2021

On Monday (March 29), many users confirmed seeing their details on a link from the dark web that began circulating online.

According to Technadu, the entire database can be bought for a price of 1.5 Bitcoin (around $85,000), which includes having the dark web portal taken offline and keeping everything exclusive.

A Business Standard report quoted an independent security researcher, Indrajeet Bhuyan, as saying that there is very little users can do, considering the large amount of data that has been leaked. “There is a big chance that scammers will be able to scam people and sound more authentic,” Bhuyan told Business Standard.