THIS IS HUGE !! An user of a hacking forum along with his partner are selling personal data of 700K+ users for just $350 which they have allegedly stolen from @moneycontrolcom& #39;s server 6-7 months back.
1/9
@IndianCERT @NCIIPC @sanjg2k1 @internetfreedom
#databreach #privacy
@moneycontrolcom is the largest online financial platform in India and it gets over 17 million visitors every month across all its platforms.
2/9
According to the post which the sellers have made, the data which they have with them includes login credentials to one& #39;s @moneycontrolcom account and also their phone number, country, pin code, gender, DOB, address, city, state and most of these data belong to Indianshttps://abs.twimg.com/emoji/v2/... draggable="false" alt="🤦" title="Person schlägt sich die Hand vors Gesicht" aria-label="Emoji: Person schlägt sich die Hand vors Gesicht">https://abs.twimg.com/emoji/v2/... draggable="false" alt="🤦" title="Person schlägt sich die Hand vors Gesicht" aria-label="Emoji: Person schlägt sich die Hand vors Gesicht">
3/9
According to the post which the sellers have made, the data which they have with them includes login credentials to one& #39;s @moneycontrolcom account and also their phone number, country, pin code, gender, DOB, address, city, state and most of these data belong to Indianshttps://abs.twimg.com/emoji/v2/... draggable=https://abs.twimg.com/emoji/v2/... draggable="false" alt="🤦" title="Person schlägt sich die Hand vors Gesicht" aria-label="Emoji: Person schlägt sich die Hand vors Gesicht">3/9" title="According to the post which the sellers have made, the data which they have with them includes login credentials to one& #39;s @moneycontrolcom account and also their phone number, country, pin code, gender, DOB, address, city, state and most of these data belong to Indianshttps://abs.twimg.com/emoji/v2/... draggable="false" alt="🤦" title="Person schlägt sich die Hand vors Gesicht" aria-label="Emoji: Person schlägt sich die Hand vors Gesicht">https://abs.twimg.com/emoji/v2/... draggable="false" alt="🤦" title="Person schlägt sich die Hand vors Gesicht" aria-label="Emoji: Person schlägt sich die Hand vors Gesicht">3/9" class="img-responsive" style="max-width:100%;"/>
I was able to have a conversation with them on telegram and what they shared blew my mind :

According to them, they exploited a vulnerability in @moneycontrolcom and was able to access 40M+ records but are willing to sell only 700K+ records since they have other plans.
4/9
I was able to have a conversation with them on telegram and what they shared blew my mind :According to them, they exploited a vulnerability in @moneycontrolcom and was able to access 40M+ records but are willing to sell only 700K+ records since they have other plans.4/9
I was able to have a conversation with them on telegram and what they shared blew my mind :According to them, they exploited a vulnerability in @moneycontrolcom and was able to access 40M+ records but are willing to sell only 700K+ records since they have other plans.4/9
They have further shared login credentials of around 40 @moneycontrolcom accounts as sample and I have personally verified that almost all of those credentials are valid and working which is something to be really worried about !
5/9
Among the credentials they shared there were also @moneycontrolcom accounts which had their email address verified which hints that they are not dummy accounts made by the sellers (since only the owner of the email ID can verify the account)
6/9
They added that they will be selling the database to only 5 different buyers for 350$ each. However if somebody wants to have the data all alone, then the price will go up to €650. They also said the vulnerability that they had exploited to get these data has now been fixed.
7/9
They added that they will be selling the database to only 5 different buyers for 350$ each. However if somebody wants to have the data all alone, then the price will go up to €650. They also said the vulnerability that they had exploited to get these data has now been fixed.7/9
They added that they will be selling the database to only 5 different buyers for 350$ each. However if somebody wants to have the data all alone, then the price will go up to €650. They also said the vulnerability that they had exploited to get these data has now been fixed.7/9
They added that they will be selling the database to only 5 different buyers for 350$ each. However if somebody wants to have the data all alone, then the price will go up to €650. They also said the vulnerability that they had exploited to get these data has now been fixed.7/9
Now I can& #39;t tell if all of their claims are correct but the login credentials that they have shared as sample are defenitely valid and thus I feel @moneycontrolcom should look into this asap. Also I was able to match some of the names and numbers using Truecaller :)
8/9
If the claims made by these sellers are authentic, then it& #39;s unfortunate to say that a massive number of people& #39;s data is at stake.

Any updates about this, will be posted in this thread. Also I will be happy to assist the concerned authorities with more details.
9/9
*UPDATE 1*

From the various replies to this thread, I learnt that, many users have received a "Password Reset" mail from @moneycontrolcom the very next day after I highlighted this incident. However there is no mention about the alleged "Data Breach" in the entire mail https://abs.twimg.com/emoji/v2/... draggable="false" alt="😕" title="Verwirrtes Gesicht" aria-label="Emoji: Verwirrtes Gesicht">
(1/4)
The mail sent to the users state that @moneycontrolcom has reset the user& #39;s acc password just for the reason that the currently set password didn& #39;t comply with the "Updated Password Policy".

Here is a screenshot of the mail sent to users :
(2/4)
However I found that @moneycontrolcom had once updated their password policy back in 2016 and are following the same till date.

Then why have such mails been sent all of a sudden,after 5 years from the policy update & that too when this particular incident came to light ?
(3/4)
However I found that @moneycontrolcom had once updated their password policy back in 2016 and are following the same till date. Then why have such mails been sent all of a sudden,after 5 years from the policy update & that too when this particular incident came to light ?(3/4)
However I found that @moneycontrolcom had once updated their password policy back in 2016 and are following the same till date. Then why have such mails been sent all of a sudden,after 5 years from the policy update & that too when this particular incident came to light ?(3/4)
However I found that @moneycontrolcom had once updated their password policy back in 2016 and are following the same till date. Then why have such mails been sent all of a sudden,after 5 years from the policy update & that too when this particular incident came to light ?(3/4)
Is this just a sneaky way of asking the users to change their password, without letting them know about the breach? I believe users have the right to know if their data gets stolen !

Expecting some clarity over this from the concerned authorities.
Hoping for the best https://abs.twimg.com/emoji/v2/... draggable="false" alt="🙌" title="Erhobene Hände" aria-label="Emoji: Erhobene Hände">
(4/4)
You can follow @TechCrucio.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more