This reintroduces the same risks to the online supermarket’s 20 million customers. The same seller reportedly gave away a sample of Upstox data but stopped sharing after paying a ransom.
The ‘Big Basket’ data, which was first leaked online in November 2020, has now reappeared on a prominent hacker forum in the form of a new post by the infamous data broker “ShinyHunters.”
The actor is handing over the entire set of 20 million customer records, including full names, email addresses, phone numbers, physical addresses, and a variety of secondary-importance data that could be useful in the hands of the right actors.
Although this data is not the result of a new breach on the large Indian online supermarket site, its reintroduction exposes it to more malicious individuals and could restart the exploit efforts.
If any users have yet to reset their passwords since they were hacked, they are now at risk due to an increase in malicious activity.
Furthermore, as we now know, the hash that is supposed to help encrypt and secure the passwords even in a data breach is so poor that the passwords may be considered plaintext.
According to a related tweet from ‘Under the Breach,’ using the computing power of a modern graphics card will be enough for anyone to decrypt these hashed passwords in a reasonably short time.
We asked security researcher Rajshekhar Rajaharia for his thoughts on this, as he has been watching these incidents closely since last year, and here is what he had to say:
“Cost-effective investment into data protection is much wiser than spending the bulk of money on the after-effects of data breaches. Welcoming experts aboard can help save the brand reputation of your esteemed company, and it will also create jobs.”
One thing to remember is that when Cyble reported the breach, it opened the “Aeolus bag,” only to be met with allegations of extortion and demanding a ransom to keep the breach incident secret.
Rumors linked Cyble to ShinyHunters, but nothing was ever verified, and we approached Cyble’s CEO, who flatly denied anything at the time.
ShinyHunters also published a portion of 100,000 records belonging to Upstox, an Indian online trading platform from which the data seller was allegedly extorting money.
According to the page, Upstox eventually paid the ransom, so remove the download links.
Again, Upstox has never officially verified all of this, so we are just reproducing what the data seller claims to be the story.