BigBasket Data Breach: Details of 2 Crore Users Put on Sale on Dark Web, Company Files Complaint

New Delhi: Bengaluru-based online grocery company Big Basket is allegedly facing a data breach in which the data of nearly two crore users has been put on sale on the dark web including their names, email IDs, contact numbers, pin, full addresses, IP addresses of login, password hashes etc.

 The dark web is a part of the internet that has encrypted online content not indexed by conventional search engines.   

US-based cybersecurity firm Cyble said that a hacker has put up the alleged data of BigBasket users on sale for around Rs 30 lakh. The data breach reportedly occurred on October 14.

Cyble in a blogpost said, “In the course of our routine Dark web monitoring, the Research team at Cyble found the database of Big Basket for sale in a cyber-crime market, being sold for over $40,000. The leak contains a database portion; with the table name ‘member_member’. The size of the SQL file is ~ 15 GB, containing close to 20 Million user data. More specifically, this includes full names, email IDs, password hashes (potentially hashed OTPs), pin, contact numbers (mobile + phone), full addresses, date of birth, location, and IP addresses of login among many others.”

BigBasket has now filed a police complaint at the cyber crime cell of Bengaluru and is evaluating the extent of the breach.

The e-commerce firm said in a statement that the privacy of its customers was a priority and the platform does not store financial data of its users and was confident that the financial data was secure, according to PTI.

"A few days ago, we learnt about a potential data breach at Bigbasket and are evaluating the extent of the breach and authenticity of the claim in consultation with cybersecurity experts and finding immediate ways to contain it. We have also lodged a complaint with the Cyber Crime Cell in Bengaluru and intend to pursue this vigorously to bring the culprits to book," BigBasket said in the statement.

The company said the only customer data that they maintain are email IDs, phone numbers, order details, and addresses. Hence, these details could have been accessed. “We have a robust information security framework that employs best-in-class resources and technologies to manage our information. We will continue to proactively engage with best-in-class information security experts to strengthen this further," BigBasket added.

Big Basket operates in multiple Indian cities including Bangalore, Hyderabad, Mumbai, Pune, Chennai, Delhi, Noida, Mysore, Coimbatore, Vijayawada-Guntur, Kolkata, Ahmedabad-Gandhinagar, Lucknow-Kanpur, Gurgaon, Vadodara, Visakhapatnam, Surat, Nagpur, Patna, Indore and Chandigarh Tricity city.

The company has as its investors the Alibaba Group, Mirae Asset-Naver Asia Growth Fund, and the United Kingdom state-owned CDC group.