A data breach at Moneycontrol has come to light. This breach has impacted 7 lakh+ users. Independent security researcher, Sourajeet Majumdar in a tweet reported this incident first. As per the tweet, personal data of over 7 lakh users of Moneycontrol was available on the dark web. According to the hackers, the breach occurred six to seven months ago. The majority of victims of the breach are from India.
The leaked data includes users’ usernames, plain-text passwords, phone numbers, email addresses, and city and state of residence.
As per Inc42, the data breach also affects some paid subscribers of Moneycontrol.
Exchange between Majumdar and Moneycontrol’s CTO
On April 9, a day after this report, in a tweet, Pandurang Nayak, CTO, Digital, Network 18 replied
Appreciate that this has been brought to our attention. Prima facie, this appears to be an old data set. Information about current users is safe. The organisation takes its responsibility towards information security very seriously.”
On April 10, Moneycontrol resets users’ passwords stating that they non-compliant with their policy. Moneycontrol sent emails containing username and new password. This came to light after some users started replying to Majumdar’s thread reporting the incident.
After this, Majumdar replied to Nayak’s tweet. He asked him if he acknowledges that there was any breach. He asked as to what criteria Nayak used to come to the conclusion that the data was old. How the company would maintain the protection of the users if the accounts were generated before the password policy was revised.
Nayak has not yet replied to the questions raised by Sourajeet.
This seems to have become a trend to passively acknowledge a breach by simply suggesting that the leaked dataset ‘seems to be an old data set’, and that the data of present users is safe. Facebook resorted to a similar trick recently when confronted with leaked data. However, readers must note that even if a breached entity labels data as ‘old’, the data could still be in use and does not lose its relevance in phishing campaigns.
Do subscribe to our Telegram channel for more resources and discussions on technology law and news. To receive weekly updates, and a massive monthly roundup, don’t forget to subscribe to our Newsletter.