Personally identifiable data relating to more than 20 million BigBasket users has allegedly ended up on an underground forum where criminals buy and sell stolen data and hacking tools.
As reported by TechCrunch, hackers going by the name “ShinyHunters” posted the database on the dark web for free over the weekend. The publication analyzed a small sample of the database and concluded that it is legitimate.
The data includes email addresses, phone numbers, addresses, scrambled passwords, dates of birth, and scores of interactions users had with the service.
So far, neither BigBasket nor ShinyHunters has issued a comment.
BigBasket is an Indian grocery delivery startup that recently agreed to be acquired by conglomerate Tata Group for $1.8 billion, a process that’s still pending regulator confirmation.
It confirmed suffering a data breach in November last year, after reports started popped up suggesting data on 20 million users had been stolen from the service.
Even though the passwords that were stolen were hashed, at least two separate threat actors claim to have decoded the passwords and put them up for sale. One is saying they decoded roughly two million passwords that were hashed using the SHA1 algorithm.
Another is saying that almost 700,000 people used “password” as their password, making their accounts easy to brute-force.
All BigBasket users are urged to change their login credentials immediately.