Last November, BigBasket suffered a severe data breach. The company had recorded a hike of 80% in customer base, largely due to COVID-19, as of September 2020. However, the breach ended up spilling over personal information of over 20 million (>2 crore) customers. The database included email IDs, hashed passwords, birth dates, and phone numbers of these users. The company had back then confirmed the breach and had filed a complaint with the police. But that’s not the end of it. A threat actor has apparently leaked the breached BigBasket data on hacking forums for free.
Alon Gal, Co-Founder and CTO of the Israeli cybercrime intelligence firm Hudson Rock tweeted that the “Infamous threat actor “ShinyHunters” just leaked the database of “BigBasket, a famous Indian grocery delivery service. (@bigbasket_com) 20,000,000+ clients affected and information such as emails, names, hashed password, birthdates and phone numbers are leaked.”
To add some context to the issue, he further added “To better understand how bad this type of hash is for the passwords, I can test 700,000,000,000 (70 billion) attempts at a password per minute with my RTX 3080. These passwords are essentially plaintext.”
The passwords are hashed using the SHA1 algorithm, which are not considered safe anymore, and forum members have claimed to crack over 2 million of the listed passwords already. Interestingly, one member of the forum claims that 7 lakh customers used the password ‘password’ for their accounts.
What should users do?
As advised in the past, users should immediately change their password, and use a strong password. For those thinking why they should even bother, we have got a simple explanation. Since email addresses and phone numbers were also leaked, you must know how to save yourself if someone attempts to hack, or scam you. Concerned users can also file a complaint with the CERT-In and seek an enquiry, asking to audit it the company was using ‘Reasonable Security Practices’, as enshrined in the Information Technology Rules.
Do subscribe to our Telegram channelfor more resources and discussions on technology law and news. To receive weekly updates, and a massive monthly roundup, don’t forget to subscribe to our Newsletter.