Cyber Incident Victim: RentoMojo

On or around April 1, 2023, the furniture and appliance rental startup RentoMojo, operated by Edunetwork Pvt. Ltd., confirmed it had experienced a data breach. The company acknowledged that the incident was the result of an attack by hackers and was likely to affect approximately 150,000 of its subscribers. The breach did not impact any financial information, such as credit card details, debit card numbers, or UPI data, as the company stated it never stored this type of sensitive information within its internal databases. RentoMojo reported the security incident to the appropriate authorities and committed to cooperating fully with the ensuing investigation into the matter.

The threat actor responsible for the breach was identified as ShinyHunters, a known hacking group. This group directly contacted RentoMojo's customers via email to inform them that their personal data had been compromised. The communications from the threat actor claimed that the data was now in their possession and would be made public. These emails also alleged that the breach was a direct result of RentoMojo failing to respond to the hackers' prior demands, suggesting a possible extortion attempt preceded the public announcement of the data theft.

Subscribers of the service began publicly reporting the incident on social media platforms, sharing their concerns and the notifications they had received from the attackers. Users posted on Twitter, now known as X, detailing the content of the emails and expressing significant anxiety over the potential exposure of their personal information. One user shared a direct quote from the communication, which stated, "I have received any email from ShinyHunters that there is data breach on rentomojo and my data has been breached and now available with hackers." Another user's post indicated the threatening nature of the message, which claimed the actor would "make my data public since the company did not respond to there demands."

The operational impact of the breach was centered on the potential exposure of subscriber data. RentoMojo's service, which began operations in 2014, allows users in major Indian cities including Bengaluru, Mumbai, Delhi NCR, and Pune to rent furniture, household utilities, and motorbikes through a subscription model. The compromised data is understood to belong to this user base. The company's immediate response involved official confirmation of the event and outreach to the relevant law enforcement and data protection authorities to initiate a formal investigation.

The consequences of the incident primarily involved the risk of personal data exposure for a substantial portion of its customer base. The breach notification process was, in part, initiated by the threat actors themselves through their direct emails to users, which heightened customer concern and led to public scrutiny of the company's security practices. The company's public statement aimed to reassure customers regarding the safety of their financial information while acknowledging the compromise of other forms of personal data. The full scope and specific types of the non-financial data exfiltrated were not detailed in the immediate public confirmation. The incident represented a significant security event for the startup, necessitating a coordinated response with authorities to manage the aftermath and address the concerns of its affected subscribers.