Cyber Incident Victim: BigBasket
Date:
Nov 2020
Location:
India
Summary
A threat actor leaked approximately 20 million user records from an Indian online grocery service, containing email addresses, SHA1 hashed passwords, phone numbers, and addresses, after initially attempting private sales. The exposed data included weak security practices, with over 2 million passwords reportedly cracked—including 700,000 instances of the password 'password'—highlighting vulnerabilities in credential storage. The breach was later publicly released on a hacking forum by the group ShinyHunters, which had previously been linked to multiple high-profile data theft incidents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In November 2020, BigBasket, an Indian online grocery delivery service, confirmed it had suffered a data breach after Bloomberg News reported the incident. BigBasket CEO Hari Menon stated the company filed a case with cybercrime police following the breach and that investigators instructed them not to disclose details to avoid compromising the probe. The breach involved threat actor ShinyHunters, who initially attempted to sell the stolen data privately before leaking it publicly months later. On April 25, 2021, ShinyHunters posted approximately 20 million alleged BigBasket user records for free on a hacking forum. The leaked database contained customer information including email addresses, physical addresses, phone numbers, and passwords hashed with the SHA1 algorithm.
Analysis of the leaked data revealed significant security weaknesses among affected users. Forum members reported successfully cracking 2 million hashed passwords from the dataset, with one member noting 700,000 customers had used the weak password 'password'. BleepingComputer verified the authenticity of portions of the data by cross-referencing records with information specific to BigBasket accounts. The incident exposed customers to credential-stuffing attacks across other platforms due to password reuse. ShinyHunters, known for previous breaches at Tokopedia, Wattpad, and other companies, followed their established pattern of privately selling data before releasing it publicly. BigBasket's public confirmation remained limited to their initial November 2020 statement about the police investigation, with no subsequent updates disclosed in the available reporting.