Cyber Security

Upstox Data Breach leaks data of 25 lakh users

Popular discount broker Upstox has suffered a massive data breach that has exposed data of 25 lakh users. This data includes Aadhaar, PAN and bank account numbers, and also personally identifiable information like mobile numbers and email addresses. While Upstox did not comment on the data leak, it said it has upgraded its security systems ‘manifold’ on the recommendations of a global cyber-security firm.

Rajshekhar Rajaharia, an independent internet security researcher, was the first to announce the security breach. In a tweet, he stated that the data of 25 lakh users and 5.6 crores Know Your Customer (KYC) records had been exposed.

In a tweet, Rajshekhar said the hack was carried out by a hacker group known as ShinyHunters. This is the same party that went after payment processor Juspay and grocery delivery service BigBasket. 

The Hackers allegedly accessed Upstox servers using Amazon AWS Keys. According to Rajshekhar, the hacker group are looking for a USD 1.2 Mn ransom from Upstox.

Statement from Upstox

After the tweet of Rajshekhar, Upstox issued a statement acknowledging a data breach. The company’s security systems have reportedly been updated, and retail investors have been assured that their investments are secure.

“On the advice of a multinational cyber-security company, we recently updated our security systems significantly.”


 In response to news of a data breach, Upstox said on its website, “We called in the expertise of this internationally renowned company after we received emails reporting unauthorised access into our database.”

In its release, Upstox did not elaborate on the implications of the data breach. The broker stated that it has limited access to the impacted database, improved protection for third-party data warehouses, segregated user data from financial properties, and implemented a real-time monitoring system. It has also started an OTP-based password reset.

We’re stepping up our industry-leading bug bounty programme to allow ethical hackers to stress test our systems and protocols regularly and help us find any vulnerabilities,” Upstox said in a statement.


Data Breach Incidents

Over the last two years, the number of data breaches in India has increased. In November 2020, BigBasket filed a complaint with Bengaluru’s Cyber Crime Cell November 2020 to check allegations that a hacker had placed the online grocer’s data up for sale on the dark web for over $40,000. 

In May 2020 Unacademy revealed a data breach that affected 22 million users’ accounts. Zee 5 was also hacked, exposing the personal information of 9 million users. A hacking group alleged that India’s vital information infrastructure had been breached, and a study claimed that China was behind the Mumbai blackout.

Do subscribe to our Telegram channel for more resources and discussions on technology law and news. To receive weekly updates, and a massive monthly roundup, don’t forget to subscribe to our Newsletter.

You can also follow us on InstagramFacebookLinkedIn, and Twitter for frequent updates and news flashes about #technologylaw.

Rajat Chawda

Rajat is a student at the Institute of Law, Nirma University. Since a young age, he was fascinated by the technological advancements and his fascination with gadgets has helped him develop a keen interest in TMT Laws in his journey as a law student. He is associated with Mylawrd to further engage himself and learn in this area.

Share your thoughts!

This site uses Akismet to reduce spam. Learn how your comment data is processed.