Cyber Incident Victim: MobiKwik

In late March 2021, reports emerged alleging a significant data breach at Indian mobile payments provider MobiKwik. A dark web website claimed possession of 8.2 terabytes of data purportedly containing sensitive information from nearly 100 million MobiKwik users. The exposed records reportedly included phone numbers, email addresses, scrambled passwords, transaction logs, and partial payment card numbers. Additionally, the website asserted it held Know Your Customer (KYC) documents—specifically government-issued Aadhaar cards or PAN IDs—for approximately 3.5 million users. The dark web portal featured a searchable database allowing individuals to verify potential exposure by entering their phone numbers or email addresses, while also displaying four random images from the alleged data dump during each visit. An unidentified seller on a cybercrime forum offered access to the complete database for 1.2 bitcoin (approximately $70,000 at the time). Security researcher Rajshekhar Rajaharia stated he had alerted MobiKwik about potential security vulnerabilities the previous month.

MobiKwik acknowledged investigating the claims but disputed the data's origin in a March 30, 2021 blog post, stating no evidence confirmed the information came from their systems. The company emphasized it was "incorrect" to attribute the dark web data to MobiKwik or any identified source. TechCrunch independently verified the breach's authenticity by confirming multiple data points through the dark web portal's search function. The incident raised concerns about potential misuse of KYC documents—critical for unrestricted financial services in India—and payment information. No further investigative findings, containment measures, or technical details about the breach's entry point were disclosed by MobiKwik at the time of reporting. The company maintained its position despite external verification of the data's validity, creating uncertainty about the breach's scope and remediation status.