Cyber Incident Victim: BigBasket
Date:
Oct 2020
Location:
India
Summary
A major Indian online grocery platform experienced a significant data breach, with approximately 20 million customer records stolen and subsequently offered for sale on the dark web for over $40,000. The compromised information included sensitive personal details such as names, email addresses, password hashes, contact numbers, physical addresses, dates of birth, and login IP addresses. A cybersecurity firm discovered the database during routine dark web monitoring, validated the authenticity of the stolen data, and notified the company, prompting internal investigations and a police complaint. The incident exposed users to heightened risks of fraud and identity theft, particularly concerning given increased reliance on online shopping services during the pandemic. Public disclosure aimed to alert affected individuals about potential exposure of their information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In October 2020, Indian online grocery platform Bigbasket experienced a significant data breach, first detected by cybersecurity firm Cyble during routine dark web monitoring. On October 30, 2020, Cyble identified a threat actor offering a 15 GB database containing approximately 20 million Bigbasket user records for sale on a cybercrime marketplace at a price exceeding $40,000. The breach was traced back to an alleged intrusion occurring on October 14, 2020. Cyble validated the authenticity of the compromised data on October 31 by cross-referencing information with known Bigbasket user details before formally notifying the company's management team on November 1. The exposed records included comprehensive personal information such as full names, email addresses, password hashes (potentially including hashed one-time passwords), mobile and landline numbers, physical addresses, dates of birth, geographical locations, and IP addresses used during login sessions.
Bigbasket responded to the breach disclosure by filing a formal complaint with the Cyber Crime Cell in Bengaluru and initiating an internal investigation. The company, which operates as a major online grocery service with over 18,000 products and backing from investors including Alibaba Group, faced heightened risks due to the COVID-19 pandemic's acceleration of e-commerce adoption. The compromised dataset exposed customers to potential identity theft, financial fraud, and targeted phishing campaigns given the breadth of personal identifiers involved. Cyble publicly disclosed the breach on November 7, 2020, emphasizing the action was taken to protect affected consumers while offering access to their AmIBreached.com platform for individuals to check exposure status. The incident underscored vulnerabilities in retail data systems during periods of increased digital transaction volumes, with the company's response focused on forensic analysis and law enforcement coordination rather than immediate public remediation announcements.