Here is the udpated timeline of events –
Oct 14, 2020 – The alleged breach occurred (based on the leaked data’s last updated record)
Oct 30, 2020 – Cyble detected the breach
Oct 31, 2020 – Cyble validated the breach through validation of the leaked data with BigBasket users/information.
Nov 1, 2020 – Cyble disclosed the breach to BigBasket management per the responsible disclosure process. Praveen (BigBasket) strongly insisted for not making any disclosure. Cyble advised them to let their customers know and explained to them it’s the right thing to do.
Nov 2, 2020 – Cyble began notifying their customers about the breach. Almost every global organization was affected by the breach. BigBasket was communicated about the action on the previous day.
Nov 3, 2020 – Cyble was approached by BigBasket’s VP-Engineering for our support and services, we explained why Cyble won’t be able to assist (as this was a high-risk engagement – closure sent via email). On request over the call, Cyble provided “free / non-obligatory” general and non-specific insights on the darkweb and cybercrime markets given our experience and expertise. We maintained our stance that we won’t be able to support them at this stage. We did explain them after disclosure to their customer, we can reinstate the conversation. The matter was deemed closed between Cyble and BigBasket.
Nov 4, 2020 – November 6, 2020 – No communication between BigBasket and Cyble (as expected). No disclosure made by BigBasket.
Nov 6, 2020 – A known international media outlet approached Cyble about the breach, and upon acknowledgement contacted BigBasket. The media outlet was given no response in return by BigBasket whatsoever to-date (neither the company made any disclosure to their customers). During the day, multiple people approached Cyble due to the breached-related data in amibreached.com.
Nov 7, 2020 – Public disclosure.
Nov 9, 2020 – BigBasket acknowledged the breach.
Nov 11, 2020 – Cyble found a clear artefact connecting BigBasket (and other companies) breach with ShinyHunters.
Nov 12, 2020 – Cyble updated its blog with new information and insights on the ShinyHunters group. A conversation between another cybercriminal and ShinyHunter came to light on RaidForums 2 days ago, i.e., November 10, 2020. An actor with the alias “The Polaris” reported “ShinyHunters” on Raidforum (a database leak portal) with a screenshot of their conversation. The actor “The Polaris” allegedly paid ShinyHunters $40,000.
Nov 14, 2020 – Cyble was made aware of certain malicious or nefarious media reports, which are targeted towards the company.
Nov 15, 2020 – Cyble handed over the concerned matter to their legal representative.
About ShinyHunters: It is the same hacking group has started to flood a dark web hacking marketplace with databases containing a combined total of 73.2 million user records over 11 different companies. The group has been operating since 2015, some of their aliases are Shiny Hunters, #TheDarkOverlord, Gnostic Players.
According to NightLionSecurity report on ShinyHunters – ”
In 2016, a hacking group known as ‘The Dark Overlord’ (TDO) began terrorizing and extorting organizations. The group quickly became known throughout the media for its extortion of medical providers and the sale stolen medical records. Some of the group’s first publicized hacks include medical facilities and law firms in Missouri.
In 2017, the group gained additional headlines for extorting companies like Disney and Netflix, threatening to release advanced copies of their studio productions if their ransom demands were not met. Later that year TDO moved from traditional hacking and extortion schemes to terror-based attacks, when they targeted school districts, and directly threatened the lives of students if their demands were not met. This act forced the closure of more than 30 schools for an entire week.
On January 01, 2017, TDO announced a “change of ownership” over Twitter. We believe two of the three actors described in this report ceased working with the group around this time. Following this announcement, all actions taken as part of The Dark Overlord can be traced back to one key individual: Christopher Meunier of Calgary, Canada.
If this screenshot is taken by the face-value of the threat actor, several other companies are potentially at risk.
Some of the companies attacked by the group in the past:
|Company||User Records||Reported Breach Date||Known?|
|Chatbooks.com||15.8 Million||March 26th, 2020||Yes|
|Dave.com||7 Million||July 2020 *||Yes|
|Drizly.com||2.4 Million||July 2020 *||Yes|
|GGumim.co.kr||2.3 Million||March 2020 *||Yes|
|Havenly.com||1.3 Million||June 2020 *||No|
|Mathway.com||25.8 Million||January 2020 *||Yes|
|Promo.com||22 Million||July 2020||Yes|
|Rewards1.com||3 Million||July 2020 *||No|
|Wattpad||270 Million||June 2020 *||Yes|
|* Based on threat actor’s statements|
The COVID-19 global pandemic has led to a rapid change in the shopping behaviour, almost overnight. It marked a massive shift from brick-and-mortar retail to e-commerce.
Online shopping has proved to be useful to consumers in these critical times. Shopping for food and groceries from the convenience of one’s home has multiple benefits such as – 100% social distancing, no time spent on commuting to the store, no long-standing queues, 24X7 availability of the store and much more. However, this convenience comes at a cost.
Most online stores require your personal details, such as Credit or Debit card details for easy transactions, along with your residential address and mobile number for the delivery of products purchased. These details are stored in their databases for easy reference next time you decide to avail their services.
Recently, Big Basket, India’s leading online food and grocery store, became victim to a data breach. Founded in October 2011, Big Basket currently provides services in Bangalore, Hyderabad, Mumbai, Pune, Chennai, Delhi, Noida, Mysore, Coimbatore, Vijayawada-Guntur, Kolkata, Ahmedabad-Gandhinagar, Lucknow-Kanpur, Gurgaon, Vadodara, Visakhapatnam, Surat, Nagpur, Patna, Indore and Chandigarh Tricity city.
This Bengaluru-based company, funded by Alibaba Group, Mirae Asset-Naver Asia Growth Fund, and the UK government-owned CDC group, has a valuation of around $2 billion, providing services to consumers to choose from over 18,000 products from over 1000 brands to be delivered at their doorstep.
In the course of our routine Dark web monitoring, the Research team at Cyble found the database of Big Basket for sale in a cyber-crime market, being sold for over $40,000. The leak contains a database portion; with the table name ‘member_member’. The size of the SQL file is ~ 15 GB, containing close to 20 Million user data. More specifically, this includes full names, email IDs, password hashes (potentially hashed OTPs), pin, contact numbers (mobile + phone), full addresses, date of birth, location, and IP addresses of login among many others.
Cyble has already informed the management team of the leak and they are currently working towards a disclosure process.
Based upon the leaked records, it appears the breach occured on October 14, 2020.
Cyble is disclosing the alleged data leak in the interest of the population impacted
People who are concerned about their information exposure can register on Cyble’s data breach monitoring and notification platform, AmiBreached.com, to ascertain the risks at no cost. Also, Android users (Link) and iOS users (Link) can gain full access to it just by downloading the mobile application.
Here are a few ways to prevent cyber-attacks:
- Never click on unverified/unidentified links
- Do not open untrusted email attachments
- Only download media from sites you trust
- Never use unfamiliar USBs
- Use security software and keep it updated
- Backup your data periodically
- Keep passwords unique and unpredictable
- Keep Software and Systems up to date
- Train employees on Cyber Security
- Set up Firewall for your internet
- Take a Cyber Security assessment
- Update passwords regularly
Update on November 15 – It has been brought to our attention that BigBasket has filed a First Information Report (FIR) on November 6, 2020, with the cyber cell of the Bengaluru Police to investigate the incident — a day before Cyble had made public, the details of the breach.
Ironically, it appears that the complaint has made against Cyble itself – who was the informant of the breach aka “shooting the messenger”. Though Cyble has not received any communication from any of the concerned authorities at this stage, it is still necessary to put forth the truth and clarify a few things here –
- It is necessary to highlight that the said cyber-attack on BigBasket was conducted by an infamous organized hacking group namely – “ShinyHunters”. On becoming aware of the perpetrators, Cyble has updated its blog accordingly, which disclosed the cyber attack in question. It should be noted that Cyble carried out a responsible disclosure of the breach suffered by the concerned party and before that, with all bonafide, had duly communicated relevant information along with timelines with the affected party.
- We see this allegation as a desperate attempt to erode our reputation and credibility by certain nefarious and malicious entities (such as paid / incompetent media outlets). The fact is – we found the breach, we provided the intelligence related to the breach to their team (with no obligation), we disclosed the breach responsibly with clear timelines from our side.
- Cyble never had nor has any material interest or intent to establish any relationship with BigBasket in any shape or form whatsoever. It is reiterated that the intent of disclosure was the larger public good and nothing else. A large number of reports are already in the public domain who believe in fairness and upholding truth and have appreciated the work undertaken by Cyble, in creating awareness amongst the public about data privacy while highlighting the immediate need for a mechanism to regulate data and prevent cyber-attacks. Privacy is everyone’s cherished right, and every person has the right to know, whether their privacy has been breached or if their personal information is compromised or at risk.
- Cyble has handed over this matter to their legal to take appropriate actions against the false accusations being leveled and to ensure that truth prevails.
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the darkweb. Cyble’s prime focus is to provide organizations with real-time visibility into their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Startups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.io.