Thread by @TechCrucio, THIS IS HUGE !! An user of a hacking forum along with [...]

THIS IS HUGE !! An user of a hacking forum along with his partner are selling personal data of 700K+ users for just $350 which they have allegedly stolen from @moneycontrolcom's server 6-7 months back.
1/9
@IndianCERT @NCIIPC @sanjg2k1 @internetfreedom
#databreach #privacy

@moneycontrolcom is the largest online financial platform in India and it gets over 17 million visitors every month across all its platforms.
2/9

According to the post which the sellers have made, the data which they have with them includes login credentials to one's @moneycontrolcom account and also their phone number, country, pin code, gender, DOB, address, city, state and most of these data belong to Indians

3/9

According to the post which the sellers have made, the data which they have with them includes login credentials to one's @moneycontrolcom account and also their phone number, country, pin code, gender, DOB, address, city, state and most of these data belong to Indians3/9

I was able to have a conversation with them on telegram and what they shared blew my mind :

According to them, they exploited a vulnerability in @moneycontrolcom and was able to access 40M+ records but are willing to sell only 700K+ records since they have other plans.
4/9

They have further shared login credentials of around 40 @moneycontrolcom accounts as sample and I have personally verified that almost all of those credentials are valid and working which is something to be really worried about !
5/9

Among the credentials they shared there were also @moneycontrolcom accounts which had their email address verified which hints that they are not dummy accounts made by the sellers (since only the owner of the email ID can verify the account)
6/9

They added that they will be selling the database to only 5 different buyers for 350$ each. However if somebody wants to have the data all alone, then the price will go up to €650. They also said the vulnerability that they had exploited to get these data has now been fixed.
7/9

Now I can't tell if all of their claims are correct but the login credentials that they have shared as sample are defenitely valid and thus I feel @moneycontrolcom should look into this asap. Also I was able to match some of the names and numbers using Truecaller :)
8/9

If the claims made by these sellers are authentic, then it's unfortunate to say that a massive number of people's data is at stake.

Any updates about this, will be posted in this thread. Also I will be happy to assist the concerned authorities with more details.
9/9

*UPDATE 1*

From the various replies to this thread, I learnt that, many users have received a "Password Reset" mail from @moneycontrolcom the very next day after I highlighted this incident. However there is no mention about the alleged "Data Breach" in the entire mail

(1/4)

The mail sent to the users state that @moneycontrolcom has reset the user's acc password just for the reason that the currently set password didn't comply with the "Updated Password Policy".

Here is a screenshot of the mail sent to users :
(2/4)

However I found that @moneycontrolcom had once updated their password policy back in 2016 and are following the same till date.

Then why have such mails been sent all of a sudden,after 5 years from the policy update & that too when this particular incident came to light ?
(3/4)

Is this just a sneaky way of asking the users to change their password, without letting them know about the breach? I believe users have the right to know if their data gets stolen !

Expecting some clarity over this from the concerned authorities.
Hoping for the best

(4/4)

Latest Threads Unrolled: