BigBasket, which is India’s popular e-grocery platform, has suffered a massive data breach that reportedly affects over 2 crore (or 20 million) users. The breach was first reported by cybersecurity firm Cyble over the weekend. It revealed that the personal information of 2 crore users was being sold on the dark web for over $40,000 (~Rs. 30 lakhs).
BigBasket is aware of the reported data breach and is currently working to “evaluate the extent of the breach and authenticity of the claim,” as per an official statement. If you are worried about what all data has been exposed, then the cybersecurity form alleges that all personal information may have been leaked.
The database being sold on the dark web is said to include the full names, email IDs, password hashes, pin, contact numbers, full addresses, date of birth, location, and IP addresses among other things. BigBasket topped this off by saying that it does not store any financial data, including credit or debit card, of its users.
The cybersecurity firm, in its official blog post, states that the data breach occurred around 14th October. Cyble detected the breach on 30th October and independently verified it within a day before reporting it to BigBasket on 1st November. “We have also lodged a complaint with the Cyber Crime Cell in Bangalore and intend to pursue this vigorously to bring the culprits to book,” said BigBasket in its statement.
This data breach seems to have happened at the worst time for BigBasket. The online grocer has been in talks with the Tata Group for a majority stake sale. Tata reportedly plans to pick up 50% of the company for close to $1 billion. The COVID-19 lockdown led netizens to online grocery shopping and BigBasket was one of the forerunners in servicing the country during those tough times. It witnessed an 84% increase in new users and a 50% jump in retention numbers as compared to pre-COVID times.
Further, it will interesting to see how BigBasket responds to this massive data breach. The company needs to lock affected accounts and urge users to reset their password to safeguard their data. I have been a regular BigBasket user for the past three-odd years and I’m yet to receive any official information, informing of the data breach.