Back in March, we covered the news about 8.2 TB of sensitive data of MobiKwik users appearing online on a Tor URL with the ability to search using real names or phone numbers. The data appeared to be of the “know your customer” type, something that MobiKwik would require for identity validation and account activation, being an electronic financial transactions company. Even though the proof appeared to be overwhelming, the company flatly denied suffering a data breach and claimed the leaked data resulted from users uploading it to other platforms.
In the days that followed, the Indian authorities have pushed for a probe to evaluate whether or not a large number (up to 120 million) of citizens had been irreversibly exposed. At the same time, MobiKwik continued to maintain the same stance of denial, also playing down the claims of the researcher who helped publicize the appearance of that data, Rajshekhar Rajaharia.
In continuation of that, MobiKwik has now published the results of a forensic audit conducted by an independent expert. The summary is that there's no indication of unauthorized access from external hackers or even an internal agent to the server where customer data is stored. This comes from an in-depth analysis of the logs provided to the auditor, DHRP, who saw no signs of unauthorized access. Notably, though, employee devices weren't analyzed, some non-mandatory logs were excluded from being shared with the investigating agents, and a virtual walk-through on the firm's systems was not offered to them.
If we take the audit result for granted, the only possible explanation left for the appearance of the KYC images on the dark web is that the users have uploaded them to other platforms that were breached. As no fingers were ever pointed to affiliates or apps that can connect to MobikWik’s API or any other services where a data exchange at this level could have taken place, there is no margin for speculation here.
We have reached out to MobiKwik asking for more details about the audit and also for potential findings or leads regarding the actual source of the leak. We will update this piece as soon as we hear back from them.