A database of about 20 million alleged BigBasket users has leaked on a well-known cybercrime forum, months after the Indian grocery delivery startup confirmed it had faced a data breach.
The database includes users’ email address, phone number, address, scrambled password, date of birth, and scores of interactions they had with the service. TechCrunch confirmed details of some customers listed in the database — including those of the author.
A BigBasket spokesperson shared the following statement, “This article / social media post refers to an alleged data breach in Nov-2020 and not something that has happened recently. The reason we know it’s not recent is that the article /social media post mentions the release of hashed passwords. We had eliminated all hashed passwords from our system and moved to a secure OTP-based authentication mechanism quite some time back. Also, our site does not collect or store any sensitive personal data of customers like credit card details. So customer data continues to be safe and no further action needs to be taken by customers.”
TechCrunch has asked BigBasket if the startup has any words for the personal details — email address, physical address, phone number etc — of the users that has leaked.
TechCrunch has asked one BigBasket co-founder whether the startup ever disclosed the data breach to customers.
A hacker who goes by the name ShinyHunters published the alleged BigBasket database — and made it available for anyone to download — on a popular cybercrime forum over the weekend.
In newer posts on the forum, at least two threat actors claimed that they had decoded the hashed passwords and had put them up for sale. ShinyHunters didn’t immediately respond to a text requesting comment.
The incident comes weeks after Indian conglomerate Tata Group agreed to acquire BigBasket, valuing the Indian startup at over $1.8 billion. The acquisition proposal is currently awaiting approval by the Indian regulator.
The story was updated with BigBasket’s statement.