BigBasket Confirms a Data Breach That Might Have Affected 20 Million Customers
Indian online grocery store BigBasket informed customers of a potential data breach. According to the company, the exact scope and consequences of the breach are still being assessed and evaluated.
BigBasket further stated that they had filed a formal complaint with the Bangalore Cyber Crime Cell - an institution responsible for dealing with cybercrime in Bangalore City. Curiously, the Bangalore Cyber Crime Cell was not able to confirm ever receiving a complaint from BigBasket.
A company representative said that BigBasket does not store financial data, including credit card strings and believe this customer data is secure. BigBasket does store email IDs, telephone numbers and delivery addresses. All of this information could potentially be in the hands of bad actors who accessed it illegally.
A cyber security company was the party that discovered the breach and alerted BigBasket to the issue. The US firm is called Cyble stated that the breach was initially discovered on October 30, even though it occurred 2 weeks prior. Cyble's finding was reported to BigBasket just a day later.
The cyber security firm discovered BigBasket's customer database put up for sale on a dark web hacker forum for $40 thousand. This price would net the potential buyer around 20 million database records, including customer names, hashes passwords, real world addresses and IP addresses used to access BigBasket's services. That is a significant chunk of personally identifiable information on every single user.
BigBasket serves over two dozen cities and smaller towns in India, so those 20 million customer records are probably well spread in terms of territories.
As with all data breaches and database leaks, the affected users can do nothing except change their passwords and hope for the best. Even if credential stuffing can be prevented by using different passwords on different sites and services, there is sadly nothing a user can do when their name, e-mail and address get stolen and leaked online.