A hacker has leaked around 20 million user records from BigBasket. The user records contained the personal information and the hashed passwords they released on a popular hacking forum.
BigBasket is a renowned online grocery delivery service in India. It permits people to purchase food and grocery online so that it gets delivered at their doorstep. On the 25th of April, 2021, a well-known data dump seller going by the name “ShinyHunters” had advertised a database for free on a dark web hacker forum. The hacker claims that the database had been stolen from BigBasket.
In November last year, the company had confirmed a prominent news outlet that they had suffered a data loss following ShinyHunter’s previous attempt to sell the theft data in private sales.
“There’s been a data breach and we’ve filed a case with the cybercrime police,” BigBasket CEO Hari Menon told Bloomberg News. “The investigators have asked us not to reveal any details as it might hamper the probe.”
As the typical older breaches sold privately by ShinyHunters, the malicious actor has now turned towards the sale of the whole database for free. The current database put up for sale on the hacker forum contains over 20 million stolen user credentials.
The data dump in the stolen user database contains customer information, including the SHA1 hashed passwords, email addresses, phone numbers, addresses and other assorted details from BigBasket.
The released passwords are hashed utilizing the SHA1 algorithm. The darknet forum members have claimed that they could crack 2 million of the listed passwords till now. Another forum member has claimed 700K members or the BigBasket customers had set the password for their respective accounts as “password”.
ShinyHunters has been held responsible for or involved in the other data hack in the past. This includes the following and many more-
BleepingComputer has confirmed that some of the breached data are accurate and includes information specific to the BigBasket service. The firm mentions that the customers must play it safe and assume that their information has been breached as well.
They also strongly suggest that the BigBasket users must immediately reset their passwords on the website/app. They must also change their passwords to other websites bearing the same password as their account in the breached firm. However, a password manager is recommended for helping those customers to manage the unique passwords that they use on various websites.
Disclaimer: Read the complete disclaimer here.